CVE-2026-9370 ulisesbocchio CVE debrief

Who should care

Development teams using jasypt-spring-boot for encrypted configuration in Spring Boot applications; security architects evaluating Java encryption libraries; compliance officers assessing cryptographic control adequacy for password protection requirements.

Technical summary

The `getSecretKeySaltGenerator()` method in `SimpleGCMConfig.java` fails to generate cryptographically random salts for password hashing operations. When salts are predictable, attackers with access to hash outputs can precompute rainbow tables or perform efficient dictionary attacks against user passwords. The GCM (Galois/Counter Mode) encryption configuration's salt generation weakness undermines the confidentiality protections intended for encrypted configuration properties in Spring Boot applications. Attack complexity is rated high due to the need for remote exploitation conditions, but proof-of-concept code availability reduces practical difficulty for determined adversaries.

Defensive priority

low

Recommended defensive actions

• Review applications using jasypt-spring-boot versions ≤3.0.5 or ≤4.0.4 for password encryption implementations
• Audit custom `SimpleGCMConfig` configurations that may override default salt generation behavior
• Monitor GitHub issue 431 for vendor response and patch availability
• Consider implementing application-layer salt randomization as a compensating control until patch is released
• Evaluate migration to alternative encryption libraries with robust salt generation if vendor remains unresponsive

Evidence notes

CVE published 2026-05-24; modified 2026-05-26. NVD status: Deferred. CVSS 4.0 vector confirms AV:N/AC:H with proof-of-concept exploit availability. CWE-759 and CWE-760 assigned by VulDB. GitHub issue 431 documents vendor notification without response.

Official resources