jasypt is vulnerable to timing attacks. The attacks are possible because it uses Arrays.equals
to verify passwords with different lengths, thereby revealing the time taken to compare the passwords.
CPE | Name | Operator | Version |
---|---|---|---|
jasypt: java simplified encryption | le | 1.9.1 |