Airsonic Project Airsonic 10.2.1

CPE Details

Airsonic Project Airsonic 10.2.1
airsonic_project
airsonic
10.2.1
2019-04-08
09h56 +00:00
2019-04-08
09h56 +00:00
CPE NVD
Alerte pour un CPE
Stay informed of any changes for a specific CPE.
Notifications manage

CPE Name: cpe:2.3:a:airsonic_project:airsonic:10.2.1:*:*:*:*:*:*:*

Informations

Vendor

airsonic_project

Product

airsonic

Version

10.2.1

Related CVE

Open and find in CVE List

CVE ID Published Description Score Severity
CVE-2019-10908 2019-04-07 11h32 +00:00 In Airsonic 10.2.1, RecoverController.java generates passwords via org.apache.commons.lang.RandomStringUtils, which uses java.util.Random internally. This PRNG has a 48-bit seed that can easily be bruteforced, leading to trivial privilege escalation attacks.
9.8
Critical
CVE-2019-10907 2019-04-07 11h32 +00:00 Airsonic 10.2.1 uses Spring's default remember-me mechanism based on MD5, with a fixed key of airsonic in GlobalSecurityConfig.java. An attacker able to capture cookies might be able to trivially bruteforce offline the passwords of associated users.
9.8
Critical
The information presented on CVE Find originates from several carefully selected reference sources. CVE data is provided by MITRE Corporation and the National Vulnerability Database (NVD). The Known Exploited Vulnerabilities (KEV) catalog is sourced from the Cybersecurity and Infrastructure Security Agency (CISA), while EPSS scores come from FIRST.org. Additionally, data regarding software weaknesses (CWE) and common attack patterns (CAPEC) is maintained by MITRE Corporation, and information on hardware and software configurations (CPE) is provided by the NVD.