CVE-2026-9370: Use of a One-Way Hash with a Predictable Salt in ulisesbocchio jasypt-spring-boot
CVE-2026-9370 is a medium severity vulnerability in the ulisesbocchio jasypt-spring-boot library versions up to 3. 0. 5 and 4. 0. 4. The issue involves the use of a one-way hash with a predictable salt in the getSecretKeySaltGenerator function, which could weaken password hashing. Exploitation requires a high level of complexity and can be performed remotely, but it is considered difficult. The vulnerability has been publicly disclosed, and no official patch or vendor response has been provided yet.
AI Analysis
Technical Summary
This vulnerability affects the getSecretKeySaltGenerator function in the Password Hash Handler component of ulisesbocchio jasypt-spring-boot (up to versions 3.0.5 and 4.0.4). It allows an attacker to exploit the use of a one-way hash with a predictable salt, potentially reducing the effectiveness of password hashing. The attack vector is remote with no privileges or user interaction required, but the attack complexity is high. The vulnerability has a CVSS 4.0 base score of 6.3 (medium severity). The project has been informed but has not yet issued a fix or official remediation guidance.
Potential Impact
The vulnerability could weaken the cryptographic strength of password hashing by using a predictable salt, potentially aiding attackers in password-related attacks. However, exploitation is difficult due to the high complexity required. There is no indication of privilege escalation, user interaction, or impact on confidentiality, integrity, or availability beyond the weakened hashing mechanism.
Mitigation Recommendations
No official patch or remediation has been released by the vendor as of the published date. Patch status is not yet confirmed — check the vendor advisory or project repository for current remediation guidance. Until a fix is available, users should consider mitigating risk by avoiding affected versions or implementing additional protective measures around password handling.
CVE-2026-9370: Use of a One-Way Hash with a Predictable Salt in ulisesbocchio jasypt-spring-boot
Description
CVE-2026-9370 is a medium severity vulnerability in the ulisesbocchio jasypt-spring-boot library versions up to 3. 0. 5 and 4. 0. 4. The issue involves the use of a one-way hash with a predictable salt in the getSecretKeySaltGenerator function, which could weaken password hashing. Exploitation requires a high level of complexity and can be performed remotely, but it is considered difficult. The vulnerability has been publicly disclosed, and no official patch or vendor response has been provided yet.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability affects the getSecretKeySaltGenerator function in the Password Hash Handler component of ulisesbocchio jasypt-spring-boot (up to versions 3.0.5 and 4.0.4). It allows an attacker to exploit the use of a one-way hash with a predictable salt, potentially reducing the effectiveness of password hashing. The attack vector is remote with no privileges or user interaction required, but the attack complexity is high. The vulnerability has a CVSS 4.0 base score of 6.3 (medium severity). The project has been informed but has not yet issued a fix or official remediation guidance.
Potential Impact
The vulnerability could weaken the cryptographic strength of password hashing by using a predictable salt, potentially aiding attackers in password-related attacks. However, exploitation is difficult due to the high complexity required. There is no indication of privilege escalation, user interaction, or impact on confidentiality, integrity, or availability beyond the weakened hashing mechanism.
Mitigation Recommendations
No official patch or remediation has been released by the vendor as of the published date. Patch status is not yet confirmed — check the vendor advisory or project repository for current remediation guidance. Until a fix is available, users should consider mitigating risk by avoiding affected versions or implementing additional protective measures around password handling.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulDB
- Date Reserved
- 2026-05-23T10:57:33.860Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a12cc8109f6977edb4bf3d5
Added to database: 5/24/2026, 10:01:37 AM
Last enriched: 5/24/2026, 10:16:37 AM
Last updated: 5/24/2026, 11:38:43 AM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.