CVE-2019-10908

Name of the Vulnerable Software and Affected Versions Airsonic version 10.2.1

Description The issue concerns the generation of passwords in Airsonic, where the RecoverController.java uses org.apache.commons.lang.RandomStringUtils, which relies on java.util.Random. This pseudorandom number generator (PRNG) has a 48-bit seed, making it vulnerable to brute-force attacks, which can lead to privilege escalation.

Recommendations For Airsonic version 10.2.1, consider disabling the password recovery feature until a secure password generation mechanism is implemented. Restrict access to sensitive areas of the application to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.