PatchSiren

ulisesbocchio CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

LOW ulisesbocchio CVE published 2026-05-24

CVE-2026-9370

A cryptographic weakness exists in ulisesbocchio jasypt-spring-boot versions up to 3.0.5 and 4.0.4. The vulnerability resides in the `getSecretKeySaltGenerator` method within `SimpleGCMConfig.java`, where a predictable salt is used in password hashing operations. This falls under CWE-759 (Use of a One-Way Hash without a Salt) and CWE-760 (Use of a One-Way Hash with a Predictable Salt). The CVSS 4.0 vector [truncated]