In Airsonic 10.2.1, RecoverController.java generates passwords via org.apache.commons.lang.RandomStringUtils, which uses java.util.Random internally. This PRNG has a 48-bit seed that can easily be bruteforced, leading to trivial privilege escalation attacks.

Threat-Mapped Scoring

Score: 1.8

Priority: P4 - Informational (Low)

• S9 – Sabotage of System/App

EPSS

Score: 0.00433
Percentile: 0.61939

CVSS Scoring

Mapped CWE(s)

• CWE-335 : Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)

Affected Products

• cpe:2.3:a:airsonic_project:airsonic:10.2.1:*:*:*:*:*:*:*

← Back to Home