Description
In Airsonic 10.2.1, RecoverController.java generates passwords via org.apache.commons.lang.RandomStringUtils, which uses java.util.Random internally. This PRNG has a 48-bit seed that can easily be bruteforced, leading to trivial privilege escalation attacks.
No analysis available yet.
Remediation
No remediation available yet.
Tracking
Sign in to view the affected projects.
Advisories
| Source | ID | Title |
|---|---|---|
EUVD |
EUVD-2019-2627 | In Airsonic 10.2.1, RecoverController.java generates passwords via org.apache.commons.lang.RandomStringUtils, which uses java.util.Random internally. This PRNG has a 48-bit seed that can easily be bruteforced, leading to trivial privilege escalation attacks. |
References
History
No history.
Status: PUBLISHED
Assigner: mitre
Published:
Updated: 2024-08-04T22:40:15.422Z
Reserved: 2019-04-07T00:00:00.000Z
Link: CVE-2019-10908
No data.
Status : Modified
Published: 2019-04-07T14:29:00.427
Modified: 2026-06-17T02:11:52.633
Link: CVE-2019-10908
No data.
OpenCVE Enrichment
No data.
Weaknesses
-
CWE-335
Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)
EUVD