Description
A weakness has been identified in ulisesbocchio jasypt-spring-boot up to 3.0.5/4.0.4. Affected by this vulnerability is the function getSecretKeySaltGenerator of the file jasypt-spring-boot/src/main/java/com/ulisesbocchio/jasyptspringboot/encryptor/SimpleGCMConfig.java of the component Password Hash Handler. Executing a manipulation can lead to use of a one-way hash with a predictable salt. The attack can be launched remotely. The attack requires a high level of complexity. The exploitation appears to be difficult. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-05-24
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in jasypt‑spring‑boot's getSecretKeySaltGenerator function leads to the use of a one‑way hash with a predictable salt. The vulnerability is classed as CWE‑759 and CWE‑760. An attacker can exploit predictable salts in password hashes, potentially aiding password compromise and undermining the integrity of stored credentials.

Affected Systems

The weakness affects the ulisesbocchio:jasypt‑spring‑boot library up to versions 3.0.5 and 4.0.4. All installations that incorporate these unpatched versions are susceptible.

Risk and Exploitability

The CVSS base score is 6.3 and no EPSS information is available. The vulnerability is remotely exploitable, but exploitation is considered difficult and requires a high level of complexity. A public exploit has been disclosed, indicating that attackers can attempt to leverage the predictable salt flaw if the application relies on the default configuration.

Generated by OpenCVE AI on May 24, 2026 at 11:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the jasypt‑spring‑boot library to the latest released version that addresses the predictable salt flaw.
  • Configure the application to use a custom salt generator that provides unpredictable, random salts for password hashing.
  • Audit and test password hashing functionality to confirm deterministic salts are no longer used.

Generated by OpenCVE AI on May 24, 2026 at 11:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 24 May 2026 10:00:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in ulisesbocchio jasypt-spring-boot up to 3.0.5/4.0.4. Affected by this vulnerability is the function getSecretKeySaltGenerator of the file jasypt-spring-boot/src/main/java/com/ulisesbocchio/jasyptspringboot/encryptor/SimpleGCMConfig.java of the component Password Hash Handler. Executing a manipulation can lead to use of a one-way hash with a predictable salt. The attack can be launched remotely. The attack requires a high level of complexity. The exploitation appears to be difficult. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Title ulisesbocchio jasypt-spring-boot Password Hash SimpleGCMConfig.java getSecretKeySaltGenerator hash predictable salt
First Time appeared Ulisesbocchio
Ulisesbocchio jasypt-spring-boot
Weaknesses CWE-759
CWE-760
CPEs cpe:2.3:a:ulisesbocchio:jasypt-spring-boot:*:*:*:*:*:*:*:*
Vendors & Products Ulisesbocchio
Ulisesbocchio jasypt-spring-boot
References
Metrics cvssV2_0

{'score': 2.6, 'vector': 'AV:N/AC:H/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.7, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Ulisesbocchio Jasypt-spring-boot
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-29T18:21:14.139Z

Reserved: 2026-05-23T10:57:33.860Z

Link: CVE-2026-9370

cve-icon Vulnrichment

Updated: 2026-05-29T18:21:09.971Z

cve-icon NVD

Status : Deferred

Published: 2026-05-24T10:16:15.537

Modified: 2026-05-26T19:54:40.357

Link: CVE-2026-9370

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-24T13:30:15Z

Weaknesses
  • CWE-759

    Use of a One-Way Hash without a Salt

  • CWE-760

    Use of a One-Way Hash with a Predictable Salt