org.jasypt:jasypt@1.7 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.jasypt:jasypt package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Timing Attack

org.jasypt:jasypt is a java library which allows the developer to add basic encryption capabilities to his/her projects with minimum effort, and without the need of having deep knowledge on how cryptography works.

Affected versions of this package are vulnerable to Timing Attacks via the Arrays.equals function. A local user can conduct a timing attack on password hash comparison in the Jasypt component to determine passwords on the target system.

How to fix Timing Attack?

Upgrade org.jasypt:jasypt to version 1.9.2 or higher.

[,1.9.2)