Описание
Jervis Has a JWT Algorithm Confusion Vulnerability
Vulnerability
The code doesn't validate that the JWT header specifies "alg":"RS256".
Impact
Depending on the broader system, this could allow JWT forgery.
Internally this severity is low since JWT is only intended to interface with GitHub. External users should consider severity moderate.
Patches
Jervis patch will explicitly verify the algorithm in the header matches expectations and further verify the JWT structure.
Upgrade to Jervis 2.2.
Workarounds
External users should consider using an alternate JWT library or upgrade.
References
Ссылки
- https://github.com/samrocketman/jervis/security/advisories/GHSA-5pq9-5mpr-jj85
- https://nvd.nist.gov/vuln/detail/CVE-2025-68925
- https://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a
- https://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L244-L249
- http://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a
Пакеты
net.gleske:jervis
< 2.2
2.2
Связанные уязвимости
Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, the code doesn't validate that the JWT header specifies "alg":"RS256". This vulnerability is fixed in 2.2.