exploitDog

CVE-2019-10907

Опубликовано: 07 апр. 2019

Источник: nvd

CVSS3: 9.8

CVSS2: 5

EPSS Низкий

Описание

Airsonic 10.2.1 uses Spring's default remember-me mechanism based on MD5, with a fixed key of airsonic in GlobalSecurityConfig.java. An attacker able to capture cookies might be able to trivially bruteforce offline the passwords of associated users.

Ссылки

https://github.com/airsonic/airsonic/commit/3e07ea52885f88d3fbec444dfd592f27bfb65647
Patch
Third Party Advisory
https://github.com/airsonic/airsonic/commit/3e07ea52885f88d3fbec444dfd592f27bfb65647
Patch
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:airsonic_project:airsonic:10.2.1:*:*:*:*:*:*:*

EPSS

Процентиль: 37%

0.00161

Низкий

9.8 Critical

CVSS3

5 Medium

CVSS2

Дефекты

CWE-326

Связанные уязвимости

GHSA-wmxw-5jh4-p3j8

CVSS3: 9.8

github

больше 3 лет назад

Airsonic 10.2.1 uses Spring's default remember-me mechanism based on MD5, with a fixed key of airsonic in GlobalSecurityConfig.java. An attacker able to capture cookies might be able to trivially bruteforce offline the passwords of associated users.

EPSS

Процентиль: 37%

0.00161

Низкий

9.8 Critical

CVSS3

5 Medium

CVSS2

Дефекты

CWE-326