Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Network-reachable admin panel with low-complexity SQLi, but requires authenticated admin (PR:H); full C/I/A loss of the database, scope kept U though COPY TO PROGRAM host compromise could justify S:C.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Coturn is a free open source implementation of TURN and STUN Server. Prior to 4.12.0, the coturn HTTPS admin panel passes HTTP query parameters directly into SQL queries via snprintf string interpolation without sanitization. The is_secure_string filter that protects the STUN protocol path is not applied to the admin panel's delete-user, delete-secret, and delete-IP operations, so an authenticated admin can inject arbitrary SQL through the du, ds, and dip parameters, gaining full database control and potentially OS-level access via PostgreSQL COPY TO PROGRAM. This issue is fixed in version 4.12.0.
AnalysisAI
SQL injection in the Coturn TURN/STUN server's HTTPS admin panel (versions prior to 4.12.0) allows an authenticated administrator to inject arbitrary SQL via the du, ds, and dip query parameters of the delete-user, delete-secret, and delete-IP operations, yielding full backend database control and, on PostgreSQL deployments, OS-level command execution through COPY TO PROGRAM. The admin panel's parameters are interpolated into queries with snprintf while bypassing the is_secure_string filter that guards the STUN protocol path. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires an authenticated administrator session on Coturn's optional HTTPS admin panel (PR:H), which must be enabled and network-reachable by the attacker - it is not part of a default STUN/TURN relay configuration. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score is 7.2 (High) with vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H - network-reachable, low complexity, no user interaction, but requiring high privileges (an authenticated admin, PR:H), with total confidentiality, integrity, and availability impact on the database. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained or been granted Coturn admin panel credentials (or an insider abusing legitimate access) sends a crafted HTTPS request to the delete-user endpoint with a malicious du parameter containing SQL metacharacters. Because the input is interpolated straight into the query, the attacker reads or modifies the entire credential database and, against a PostgreSQL backend running as a privileged role, chains COPY TO PROGRAM to execute shell commands on the database host. … |
| Remediation | Vendor-released patch: upgrade to Coturn 4.12.0 or later (https://github.com/coturn/coturn/releases/tag/4.12.0), which applies the is_secure_string sanitization to the admin panel delete operations as implemented in PR 1924 / commit b84dbab1d1aa6e2bf0211a1cdbb250d6de2a0d09; review details in advisory GHSA-v8hj-2xx7-xmp5. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all Coturn deployments to identify affected versions (pre-4.12.0); determine whether admin panels are accessible from untrusted networks. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in PostgreSQL
View allPostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() improperl
An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl
Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows re
Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.
PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to incorrect authentication flaw allow
The build_tablename function in pgsql.c in the PostgreSQL (aka pgsql) extension in PHP through 5.6.7 does not validate t
A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitra
In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_serve
## Summary An unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query strin
Parse Server is an open source http web server backend. Rated critical severity (CVSS 10.0), this vulnerability is remot
Hard-coded default PostgreSQL credentials shipped in the docker-compose.yaml of langgenius Dify through version 1.5.1 al
A vulnerability in the FinanceChatLlamaPack of the run-llama/llama_index repository, versions up to v0.12.3, allows for
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42969