Summary
Detail | |||
---|---|---|---|
Vendor | Airsonic Project | First view | 2019-04-04 |
Product | Airsonic | Last view | 2019-04-07 |
Version | Type | Application | |
Update | |||
Edition | |||
Language | |||
Sofware Edition | |||
Target Software | |||
Target Hardware | |||
Other |
Activity : Overall
COMMON PLATFORM ENUMERATION: Repartition per Version
CPE Name | Affected CVE |
---|---|
cpe:2.3:a:airsonic_project:airsonic:10.2.1:*:*:*:*:*:*:* | 2 |
cpe:2.3:a:airsonic_project:airsonic:*:*:*:*:*:*:*:* | 1 |
Related : CVE
Date | Alert | Description | |
---|---|---|---|
9.8 | 2019-04-07 | CVE-2019-10908 | In Airsonic 10.2.1, RecoverController.java generates passwords via org.apache.commons.lang.RandomStringUtils, which uses java.util.Random internally. This PRNG has a 48-bit seed that can easily be bruteforced, leading to trivial privilege escalation attacks. |
9.8 | 2019-04-07 | CVE-2019-10907 | Airsonic 10.2.1 uses Spring's default remember-me mechanism based on MD5, with a fixed key of airsonic in GlobalSecurityConfig.java. An attacker able to capture cookies might be able to trivially bruteforce offline the passwords of associated users. |
9.8 | 2019-04-04 | CVE-2018-20222 | XXE issue in Airsonic before 10.1.2 during parse. |
CWE : Common Weakness Enumeration
% | id | Name |
---|---|---|
33% (1) | CWE-611 | Information Leak Through XML External Entity File Disclosure |
33% (1) | CWE-335 | PRNG Seed Error |
33% (1) | CWE-326 | Inadequate Encryption Strength |