CVE-2026-9370

ulisesbocchio jasypt-spring-boot Password Hash SimpleGCMConfig.java getSecretKeySaltGenerator hash predictable salt

CVSS 6.3 MEDIUMEPSS 0.2%CWE-759 CWE-760

A weakness has been identified in ulisesbocchio jasypt-spring-boot up to 3.0.5/4.0.4. Affected by this vulnerability is the function getSecretKeySaltGenerator of the file jasypt-spring-boot/src/main/java/com/ulisesbocchio/jasyptspringboot/encryptor/SimpleGCMConfig.java of the component Password Hash Handler. Executing a manipulation can lead to use of a one-way hash with a predictable salt. The attack can be launched remotely. The attack requires a high level of complexity. The exploitation appears to be difficult. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P

Affected products

ulisesbocchio · jasypt-spring-boot

public PoCs found — 1

cve_referencegithub.com/dntyfate/cve/issues/3unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/dntyfate/cve/issues/3 https://github.com/ulisesbocchio/jasypt-spring-boot/https://github.com/ulisesbocchio/jasypt-spring-boot/issues/431 https://vuldb.com/submit/813198 https://vuldb.com/vuln/365333 https://vuldb.com/vuln/365333/cti