Опубликовано: 13 янв. 2026
Источник: github
Github: Прошло ревью
CVSS4: 8.7
CVSS3: 7.5
Описание
Jervis's Salt for PBKDF2 derived from password
Vulnerability
The salt is derived from sha256Sum(passphrase). Two encryption operations with the same password will have the same derived key.
Impact
Pre-computation attacks.
Severity is considered low for internal uses of this library and high for consumers of this library.
Patches
Jervis will generate a random salt for each password and store it alongside the ciphertext.
Upgrade to Jervis 2.2.
Workarounds
None
References
Ссылки
- https://github.com/samrocketman/jervis/security/advisories/GHSA-36h5-vrq6-pp34
- https://nvd.nist.gov/vuln/detail/CVE-2025-68703
- https://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a
- https://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L869-L870
- https://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L894-L895
- http://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a
Пакеты
Наименование
net.gleske:jervis
maven
Затронутые версииВерсия исправления
< 2.2
2.2
Связанные уязвимости
CVSS3: 7.5
nvd
24 дня назад
Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, the salt is derived from sha256Sum(passphrase). Two encryption operations with the same password will have the same derived key. This vulnerability is fixed in 2.2.