jasypt before 1.9.2 allows a timing attack against the password hash comparison.
References
- https://nvd.nist.gov/vuln/detail/CVE-2014-9970
- https://access.redhat.com/errata/RHSA-2017:2546
- https://access.redhat.com/errata/RHSA-2017:2547
- https://access.redhat.com/errata/RHSA-2017:2808
- https://access.redhat.com/errata/RHSA-2017:2809
- https://access.redhat.com/errata/RHSA-2017:2810
- https://access.redhat.com/errata/RHSA-2017:2811
- https://access.redhat.com/errata/RHSA-2017:3141
- https://access.redhat.com/errata/RHSA-2018:0294
- https://sourceforge.net/p/jasypt/code/668/
- https://github.com/advisories/GHSA-r5c2-rxh2-f5h2