{"id":"CVE-2019-10908","details":"In Airsonic 10.2.1, RecoverController.java generates passwords via org.apache.commons.lang.RandomStringUtils, which uses java.util.Random internally. This PRNG has a 48-bit seed that can easily be bruteforced, leading to trivial privilege escalation attacks.","modified":"2026-04-11T08:55:42.785162Z","published":"2019-04-07T14:29:00.427Z","references":[{"type":"FIX","url":"https://github.com/airsonic/airsonic/commit/61c842923a6d60d4aedd126445a8437b53b752c8"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/airsonic/airsonic","events":[{"introduced":"0"},{"last_affected":"58bd1753c9a9c59a69e467b28a2feeea43f17072"},{"fixed":"61c842923a6d60d4aedd126445a8437b53b752c8"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"10.2.1"}]}}],"versions":["v10.0.0","v10.0.1","v10.1.0","v10.1.1","v10.2.0","v10.2.1","v6.0.1","v6.1-alpha1","v6.1.beta1","v6.1.beta2","v6.2.beta1","v6.2.beta2","v6.2.beta3"],"database_specific":{"vanir_signatures_modified":"2026-04-11T08:55:42Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-10908.json","vanir_signatures":[{"source":"https://github.com/airsonic/airsonic/commit/61c842923a6d60d4aedd126445a8437b53b752c8","deprecated":false,"id":"CVE-2019-10908-86ef7199","digest":{"function_hash":"325504793078609483966411285950876329835","length":1295},"signature_type":"Function","target":{"function":"recover","file":"airsonic-main/src/main/java/org/airsonic/player/controller/RecoverController.java"},"signature_version":"v1"},{"source":"https://github.com/airsonic/airsonic/commit/61c842923a6d60d4aedd126445a8437b53b752c8","deprecated":false,"id":"CVE-2019-10908-de09202f","digest":{"threshold":0.9,"line_hashes":["306902619043511208777043774479233319458","235260804270135839556344748120016677644","52252328664859783619630708361983114047","177140614392107701064657302501927018764","254785093093872409594456233108426115839","98420451014953792449252712386928920945","53254821030174006499322925024081186116","237882640957566887093044149016074411570","41150062776900013791720395791978191229","91895520617278394574573291235136116966","70447786806686895237620879881896881667","220929181535967927907967111098680390572","79080806081490026652277835295310742198","14103496997639108755502257368917195492"]},"signature_type":"Line","target":{"file":"airsonic-main/src/main/java/org/airsonic/player/controller/RecoverController.java"},"signature_version":"v1"}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}