Debian Linux Security Advisory 4829-1 - A flaw was discovered in coturn, a TURN and STUN server for VoIP. By default coturn does not allow peers on the loopback addresses (127.x.x.x and ::1). A remote attacker can bypass the protection via a specially crafted request using a peer address of '0.0.0.0' and trick coturn in relaying to the loopback interface. If listening on IPv6 the loopback interface can also be reached by using either [::1] or [::] as the address.
0e50e94f21084349379aee27ae6a0c950c9d141059b68a995c92c65ef2de6f30
Ubuntu Security Notice 4690-1 - It was discovered that coTURN allowed peers to connect and relay packets to loopback addresses in the range of 127.x.x.x. A malicious user could use this vulnerability to insert packages into the loopback interface.
e5a6b608a261733f2ac478eebef781a73d720ced5c66448b8f123eac9fc56328
Coturn version 4.5.1.x suffers from a loopback access control bypass vulnerability.
229c4e41914e88114f7a7cb31815c02ae2d943c82d215356fe5d583cf79c579d