CVEDB API

Vulnerabilities

By Date
Known Exploited
Advanced Search

Vulnerable Software

Vendors
Products

Vulnerability Details CVE-2019-10908

In Airsonic 10.2.1, RecoverController.java generates passwords via org.apache.commons.lang.RandomStringUtils, which uses java.util.Random internally. This PRNG has a 48-bit seed that can easily be bruteforced, leading to trivial privilege escalation attacks.

Exploit prediction scoring system (EPSS) score

EPSS Score 0.004

EPSS Ranking 62.0%

CVSS Severity

CVSS v3 Score 9.8

CVSS v2 Score 7.5

References

https://github.com/airsonic/airsonic/commit/61c842923a6d60d4aedd126445a8437b53b752c8
https://github.com/airsonic/airsonic/commit/61c842923a6d60d4aedd126445a8437b53b752c8

Products affected by CVE-2019-10908

Airsonic Project » Airsonic » Version: 10.2.1

cpe:2.3:a:airsonic_project:airsonic:10.2.1

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2019-10908

Products

Pricing

Contact Us