Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for jasypt-spring-boot by ulisesbocchio

    CVE-2026-9370 (GCVE-0-2026-9370)

    Vulnerability from nvd – Published: 2026-05-24 09:15 – Updated: 2026-05-29 18:21
    VLAI
    Title
    ulisesbocchio jasypt-spring-boot Password Hash SimpleGCMConfig.java getSecretKeySaltGenerator hash predictable salt
    Summary
    A weakness has been identified in ulisesbocchio jasypt-spring-boot up to 3.0.5/4.0.4. Affected by this vulnerability is the function getSecretKeySaltGenerator of the file jasypt-spring-boot/src/main/java/com/ulisesbocchio/jasyptspringboot/encryptor/SimpleGCMConfig.java of the component Password Hash Handler. Executing a manipulation can lead to use of a one-way hash with a predictable salt. The attack can be launched remotely. The attack requires a high level of complexity. The exploitation appears to be difficult. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-760 - Use of a One-Way Hash with a Predictable Salt
    • CWE-759 - One-Way Hash without Salt
    Assigner
    References
    Impacted products
    Vendor Product Version
    ulisesbocchio jasypt-spring-boot Affected: 3.0.0
    Affected: 3.0.1
    Affected: 3.0.2
    Affected: 3.0.3
    Affected: 3.0.4
    Affected: 3.0.5
    Affected: 4.0.0
    Affected: 4.0.1
    Affected: 4.0.2
    Affected: 4.0.3
    Affected: 4.0.4
        cpe:2.3:a:ulisesbocchio:jasypt-spring-boot:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    zyhhoward (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-9370",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-29T18:20:18.023852Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-29T18:21:14.139Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:ulisesbocchio:jasypt-spring-boot:*:*:*:*:*:*:*:*"
              ],
              "modules": [
                "Password Hash Handler"
              ],
              "product": "jasypt-spring-boot",
              "vendor": "ulisesbocchio",
              "versions": [
                {
                  "status": "affected",
                  "version": "3.0.0"
                },
                {
                  "status": "affected",
                  "version": "3.0.1"
                },
                {
                  "status": "affected",
                  "version": "3.0.2"
                },
                {
                  "status": "affected",
                  "version": "3.0.3"
                },
                {
                  "status": "affected",
                  "version": "3.0.4"
                },
                {
                  "status": "affected",
                  "version": "3.0.5"
                },
                {
                  "status": "affected",
                  "version": "4.0.0"
                },
                {
                  "status": "affected",
                  "version": "4.0.1"
                },
                {
                  "status": "affected",
                  "version": "4.0.2"
                },
                {
                  "status": "affected",
                  "version": "4.0.3"
                },
                {
                  "status": "affected",
                  "version": "4.0.4"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "zyhhoward (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A weakness has been identified in ulisesbocchio jasypt-spring-boot up to 3.0.5/4.0.4. Affected by this vulnerability is the function getSecretKeySaltGenerator of the file jasypt-spring-boot/src/main/java/com/ulisesbocchio/jasyptspringboot/encryptor/SimpleGCMConfig.java of the component Password Hash Handler. Executing a manipulation can lead to use of a one-way hash with a predictable salt. The attack can be launched remotely. The attack requires a high level of complexity. The exploitation appears to be difficult. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 3.7,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 3.7,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 2.6,
                "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-760",
                  "description": "Use of a One-Way Hash with a Predictable Salt",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-759",
                  "description": "One-Way Hash without Salt",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-24T09:15:09.292Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-365333 | ulisesbocchio jasypt-spring-boot Password Hash SimpleGCMConfig.java getSecretKeySaltGenerator hash predictable salt",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/365333"
            },
            {
              "name": "VDB-365333 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/365333/cti"
            },
            {
              "name": "Submit #813198 | Ulises Bocchio jasypt-spring-boot 3.0.0 to 4.0.4 Cryptographic Issues",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/813198"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/ulisesbocchio/jasypt-spring-boot/issues/431"
            },
            {
              "tags": [
                "exploit",
                "issue-tracking"
              ],
              "url": "https://github.com/dntyfate/cve/issues/3"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/ulisesbocchio/jasypt-spring-boot/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-23T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-05-23T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-05-23T13:02:38.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "ulisesbocchio jasypt-spring-boot Password Hash SimpleGCMConfig.java getSecretKeySaltGenerator hash predictable salt"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-9370",
        "datePublished": "2026-05-24T09:15:09.292Z",
        "dateReserved": "2026-05-23T10:57:33.860Z",
        "dateUpdated": "2026-05-29T18:21:14.139Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-9370 (GCVE-0-2026-9370)

    Vulnerability from cvelistv5 – Published: 2026-05-24 09:15 – Updated: 2026-05-29 18:21
    VLAI
    Title
    ulisesbocchio jasypt-spring-boot Password Hash SimpleGCMConfig.java getSecretKeySaltGenerator hash predictable salt
    Summary
    A weakness has been identified in ulisesbocchio jasypt-spring-boot up to 3.0.5/4.0.4. Affected by this vulnerability is the function getSecretKeySaltGenerator of the file jasypt-spring-boot/src/main/java/com/ulisesbocchio/jasyptspringboot/encryptor/SimpleGCMConfig.java of the component Password Hash Handler. Executing a manipulation can lead to use of a one-way hash with a predictable salt. The attack can be launched remotely. The attack requires a high level of complexity. The exploitation appears to be difficult. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-760 - Use of a One-Way Hash with a Predictable Salt
    • CWE-759 - One-Way Hash without Salt
    Assigner
    References
    Impacted products
    Vendor Product Version
    ulisesbocchio jasypt-spring-boot Affected: 3.0.0
    Affected: 3.0.1
    Affected: 3.0.2
    Affected: 3.0.3
    Affected: 3.0.4
    Affected: 3.0.5
    Affected: 4.0.0
    Affected: 4.0.1
    Affected: 4.0.2
    Affected: 4.0.3
    Affected: 4.0.4
        cpe:2.3:a:ulisesbocchio:jasypt-spring-boot:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    zyhhoward (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-9370",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-29T18:20:18.023852Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-29T18:21:14.139Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:ulisesbocchio:jasypt-spring-boot:*:*:*:*:*:*:*:*"
              ],
              "modules": [
                "Password Hash Handler"
              ],
              "product": "jasypt-spring-boot",
              "vendor": "ulisesbocchio",
              "versions": [
                {
                  "status": "affected",
                  "version": "3.0.0"
                },
                {
                  "status": "affected",
                  "version": "3.0.1"
                },
                {
                  "status": "affected",
                  "version": "3.0.2"
                },
                {
                  "status": "affected",
                  "version": "3.0.3"
                },
                {
                  "status": "affected",
                  "version": "3.0.4"
                },
                {
                  "status": "affected",
                  "version": "3.0.5"
                },
                {
                  "status": "affected",
                  "version": "4.0.0"
                },
                {
                  "status": "affected",
                  "version": "4.0.1"
                },
                {
                  "status": "affected",
                  "version": "4.0.2"
                },
                {
                  "status": "affected",
                  "version": "4.0.3"
                },
                {
                  "status": "affected",
                  "version": "4.0.4"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "zyhhoward (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A weakness has been identified in ulisesbocchio jasypt-spring-boot up to 3.0.5/4.0.4. Affected by this vulnerability is the function getSecretKeySaltGenerator of the file jasypt-spring-boot/src/main/java/com/ulisesbocchio/jasyptspringboot/encryptor/SimpleGCMConfig.java of the component Password Hash Handler. Executing a manipulation can lead to use of a one-way hash with a predictable salt. The attack can be launched remotely. The attack requires a high level of complexity. The exploitation appears to be difficult. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 3.7,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 3.7,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 2.6,
                "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-760",
                  "description": "Use of a One-Way Hash with a Predictable Salt",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-759",
                  "description": "One-Way Hash without Salt",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-24T09:15:09.292Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-365333 | ulisesbocchio jasypt-spring-boot Password Hash SimpleGCMConfig.java getSecretKeySaltGenerator hash predictable salt",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/365333"
            },
            {
              "name": "VDB-365333 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/365333/cti"
            },
            {
              "name": "Submit #813198 | Ulises Bocchio jasypt-spring-boot 3.0.0 to 4.0.4 Cryptographic Issues",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/813198"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/ulisesbocchio/jasypt-spring-boot/issues/431"
            },
            {
              "tags": [
                "exploit",
                "issue-tracking"
              ],
              "url": "https://github.com/dntyfate/cve/issues/3"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/ulisesbocchio/jasypt-spring-boot/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-23T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-05-23T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-05-23T13:02:38.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "ulisesbocchio jasypt-spring-boot Password Hash SimpleGCMConfig.java getSecretKeySaltGenerator hash predictable salt"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-9370",
        "datePublished": "2026-05-24T09:15:09.292Z",
        "dateReserved": "2026-05-23T10:57:33.860Z",
        "dateUpdated": "2026-05-29T18:21:14.139Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }