This CPE summary could be partial or incomplete. Please contact us for a detailed listing.

Summary

Detail
Vendor Airsonic Project First view 2019-04-04
Product Airsonic Last view 2019-04-07
Version Type Application
Update  
Edition  
Language  
Sofware Edition  
Target Software  
Target Hardware  
Other  

Activity : Overall

COMMON PLATFORM ENUMERATION: Repartition per Version

CPE Name Affected CVE
cpe:2.3:a:airsonic_project:airsonic:10.2.1:*:*:*:*:*:*:* 2
cpe:2.3:a:airsonic_project:airsonic:*:*:*:*:*:*:*:* 1

Related : CVE

  Date Alert Description
9.8 2019-04-07 CVE-2019-10908

In Airsonic 10.2.1, RecoverController.java generates passwords via org.apache.commons.lang.RandomStringUtils, which uses java.util.Random internally. This PRNG has a 48-bit seed that can easily be bruteforced, leading to trivial privilege escalation attacks.

9.8 2019-04-07 CVE-2019-10907

Airsonic 10.2.1 uses Spring's default remember-me mechanism based on MD5, with a fixed key of airsonic in GlobalSecurityConfig.java. An attacker able to capture cookies might be able to trivially bruteforce offline the passwords of associated users.

9.8 2019-04-04 CVE-2018-20222

XXE issue in Airsonic before 10.1.2 during parse.

CWE : Common Weakness Enumeration

%idName
33% (1) CWE-611 Information Leak Through XML External Entity File Disclosure
33% (1) CWE-335 PRNG Seed Error
33% (1) CWE-326 Inadequate Encryption Strength