Vulnerability: Weak PRNG Seed in Airsonic 10.2.1 Leads to Privilege Escalation Attacks
CVE-2019-10908 · HIGH Severity
AV:N/AC:L/AU:N/C:P/I:P/A:P
In Airsonic 10.2.1, RecoverController.java generates passwords via org.apache.commons.lang.RandomStringUtils, which uses java.util.Random internally. This PRNG has a 48-bit seed that can easily be bruteforced, leading to trivial privilege escalation attacks.
Learn more about our Cis Benchmark Audit For Apache Http Server.