Vulnerability Database
Blog
FAQ
Docs
GHSA-r5c2-rxh2-f5h2
Suggest an improvement
Source
https://github.com/advisories/GHSA-r5c2-rxh2-f5h2
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-r5c2-rxh2-f5h2/GHSA-r5c2-rxh2-f5h2.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-r5c2-rxh2-f5h2
Aliases
CVE-2014-9970
Published
2022-05-14T03:44:52Z
Modified
2024-02-20T05:28:24.651641Z
Severity
7.5 (High)
CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS Calculator
Summary
Exposure of Sensitive Information to an Unauthorized Actor in Apache Jasypt
Details
jasypt before 1.9.2 allows a timing attack against the password hash comparison.
References
https://nvd.nist.gov/vuln/detail/CVE-2014-9970
https://access.redhat.com/errata/RHSA-2017:2546
https://access.redhat.com/errata/RHSA-2017:2547
https://access.redhat.com/errata/RHSA-2017:2808
https://access.redhat.com/errata/RHSA-2017:2809
https://access.redhat.com/errata/RHSA-2017:2810
https://access.redhat.com/errata/RHSA-2017:2811
https://access.redhat.com/errata/RHSA-2017:3141
https://access.redhat.com/errata/RHSA-2018:0294
https://sourceforge.net/p/jasypt/code/668
Affected packages
Maven
/
org.jasypt:jasypt
Package
Name
org.jasypt:jasypt
View open source insights on deps.dev
Purl
pkg:maven/org.jasypt/jasypt
Affected ranges
Type
ECOSYSTEM
Events
Introduced
0
Unknown introduced version / All previous versions are affected
Fixed
1.9.2
Affected versions
1.*
1.0
1.1
1.2
1.3
1.3.1
1.4
1.4.1
1.5
1.6
1.7
1.7.1
1.8
1.9.0
1.9.1
GHSA-r5c2-rxh2-f5h2 - OSV