{"id":"CVE-2019-10907","details":"Airsonic 10.2.1 uses Spring's default remember-me mechanism based on MD5, with a fixed key of airsonic in GlobalSecurityConfig.java. An attacker able to capture cookies might be able to trivially bruteforce offline the passwords of associated users.","modified":"2026-04-11T08:55:42.484130Z","published":"2019-04-07T14:29:00.237Z","references":[{"type":"FIX","url":"https://github.com/airsonic/airsonic/commit/3e07ea52885f88d3fbec444dfd592f27bfb65647"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/airsonic/airsonic","events":[{"introduced":"0"},{"last_affected":"58bd1753c9a9c59a69e467b28a2feeea43f17072"},{"fixed":"3e07ea52885f88d3fbec444dfd592f27bfb65647"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"10.2.1"}]}}],"versions":["v10.0.0","v10.0.1","v10.1.0","v10.1.1","v10.2.0","v10.2.1","v6.0.1","v6.1-alpha1","v6.1.beta1","v6.1.beta2","v6.2.beta1","v6.2.beta2","v6.2.beta3"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-10907.json","vanir_signatures_modified":"2026-04-11T08:55:42Z","vanir_signatures":[{"source":"https://github.com/airsonic/airsonic/commit/3e07ea52885f88d3fbec444dfd592f27bfb65647","signature_type":"Line","target":{"file":"airsonic-main/src/main/java/org/airsonic/player/security/GlobalSecurityConfig.java"},"signature_version":"v1","digest":{"line_hashes":["303704105775196217024279013170664490936","2446681687777448089538238093434030719","42111404749834803587671574570883347907","133585551283528248972958941242053989813","154264793489246672321098524434749498489","312957750971785111436900567639562862859","215139526197560750367736025129617611661","286302168458483881366205302442985315582","329546977764431779538205964297571993469","109976895431288495263302100766870175155"],"threshold":0.9},"id":"CVE-2019-10907-913e7320","deprecated":false},{"source":"https://github.com/airsonic/airsonic/commit/3e07ea52885f88d3fbec444dfd592f27bfb65647","signature_type":"Function","target":{"function":"configure","file":"airsonic-main/src/main/java/org/airsonic/player/security/GlobalSecurityConfig.java"},"signature_version":"v1","digest":{"function_hash":"225445002587459582225339103306879177313","length":1780},"id":"CVE-2019-10907-fe5f8b46","deprecated":false}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}