jasypt-spring-boot Uses a One-Way Hash without a Salt
Low severity
GitHub Reviewed
Published
May 26, 2026
to the GitHub Advisory Database
•
Updated Jun 30, 2026
Description
Published by the National Vulnerability Database
May 24, 2026
Published to the GitHub Advisory Database
May 26, 2026
Reviewed
Jun 30, 2026
Last updated
Jun 30, 2026
A weakness has been identified in ulisesbocchio jasypt-spring-boot up to 3.0.5/4.0.4. Affected by this vulnerability is the function getSecretKeySaltGenerator of the file jasypt-spring-boot/src/main/java/com/ulisesbocchio/jasyptspringboot/encryptor/SimpleGCMConfig.java of the component Password Hash Handler. Executing a manipulation can lead to use of a one-way hash with a predictable salt. The attack can be launched remotely. The attack requires a high level of complexity. The exploitation appears to be difficult. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
References