| Titre | Ulises Bocchio jasypt-spring-boot 3.0.0 to 4.0.4 Cryptographic Issues |
|---|
| Description | jasypt-spring-boot is a Spring Boot library that adds transparent property-level encryption (decrypts ENC(...) values at startup). Its AES/GCM master-password mode uses a hardcoded all-zero PBKDF2 salt when jasypt.encryptor.gcm-secret-key-salt is not configured -- the documented default per the project README ("Optional, defaults to 0, no salt"). Because PBKDF2 with a fixed salt is deterministic, every deployment using the same master password derives byte-identical AES-256 keys.
VULNERABLE CODE
File: jasypt-spring-boot/src/main/java/com/ulisesbocchio/jasyptspringboot/encryptor/SimpleGCMConfig.java (lines 75-81)
public SaltGenerator getSecretKeySaltGenerator() {
return saltGenerator != null ? saltGenerator :
(secretKeySalt == null ? new ZeroSaltGenerator() :
new FixedBase64ByteArraySaltGenerator(secretKeySalt));
}
The default 1000-iteration count for PBKDF2-HMAC-SHA256 (also present in StringEncryptorBuilder.createPBEDefault() at line 97 for PBE mode) compounds the issue: OWASP 2023 guidance is 600,000 iterations.
IMPACT
1. Cross-deployment AES key reuse. Two independent deployments sharing only the master password derive byte-identical keys; ciphertext from any one deployment decrypts on any other. This breaks multi-tenant and multi-environment (dev/stage/prod) deployments that share a master password -- a pattern the README example implicitly enables.
2. Offline rainbow-table attack against weak master passwords. With the salt fixed at zero, a single precomputed PBKDF2 table applies to every target worldwide.
PROOF OF CONCEPT
JUnit 5 test (3/3 pass on JDK 17+, jasypt 1.9.3):
Derived AES key (deployment A): f8dd1a881bb76f3df8d0482c6815aeb91aa75a2a2c84cba585aecee1103a93bf
Derived AES key (deployment B): f8dd1a881bb76f3df8d0482c6815aeb91aa75a2a2c84cba585aecee1103a93bf
Plaintext : db-admin-password=hunter2
A-ciphertext decrypted on B successfully.
CLASSIFICATION
CWE-760 (Use of a One-Way Hash with a Predictable Salt) -- primary
CWE-916 (Use of Password Hash With Insufficient Computational Effort)
CWE-1188 (Initialization of a Resource with an Insecure Default)
AFFECTED VERSIONS
All releases shipping SimpleGCMConfig (3.0.0 through 4.0.4). No fix available at time of disclosure.
ON THE "OPTIONAL" FRAMING
The README's wording ("Optional, defaults to 0, no salt") does not absolve the library -- it makes this a textbook CWE-1188. The wording is materially misleading: "no salt" implies the step is skipped, while the actual behavior is a hardcoded 16-byte all-zero constant shared across every deployment of the library worldwide. No startup warning is emitted.
Full technical writeup, reproducible PoC, and discussion: https://github.com/dntyfate/cve/issues/3 |
|---|
| La source | ⚠️ https://github.com/dntyfate/cve/issues/3 |
|---|
| Utilisateur | zyhhoward (UID 97563) |
|---|
| Soumission | 26/04/2026 02:18 (il y a 1 mois) |
|---|
| Modérer | 23/05/2026 12:57 (27 days later) |
|---|
| Statut | Accepté |
|---|
| Entrée VulDB | 365333 [ulisesbocchio jasypt-spring-boot jusqu’à 3.0.5/4.0.4 Password Hash SimpleGCMConfig.java getSecretKeySaltGenerator divulgation d'information] |
|---|
| Points | 20 |
|---|