CVE-2019-10907 Information

Description

Airsonic 10.2.1 uses Spring’s default remember-me mechanism based on MD5 with a fixed key of airsonic in GlobalSecurityConfig.java. An attacker able to capture cookies might be able to trivially bruteforce offline the passwords of associated users.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Reference

https://github.com/airsonic/airsonic/commit/3e07ea52885f88d3fbec444dfd592f27bfb65647

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

9.8