Опубликовано: 13 янв. 2026
Источник: github
Github: Прошло ревью
CVSS4: 8.7
CVSS3: 7.5
Описание
Jervis Has a SHA-256 Hex String Padding Bug
Vulnerability
padLeft(32, '0') should be padLeft(64, '0'). SHA-256 produces 32 bytes = 64 hex characters.
Impact
- Inconsistent hash lengths when leading bytes are zero
- Comparison failures for hashes with leading zeros
- Potential security issues in hash-based comparisons
- Could cause subtle bugs in systems relying on consistent hash lengths
Severity is considered low for internal uses of this library but if there's any consumer using these methods directly then this is considered high.
Patches
Upgrade to Jervis 2.2.
Workarounds
Use an alternate SHA-256 hash function or upgrade.
Ссылки
- https://github.com/samrocketman/jervis/security/advisories/GHSA-67rj-pjg6-pq59
- https://nvd.nist.gov/vuln/detail/CVE-2025-68702
- https://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a
- https://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L622-L626
- http://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a
Пакеты
Наименование
net.gleske:jervis
maven
Затронутые версииВерсия исправления
< 2.2
2.2
Связанные уязвимости
CVSS3: 7.5
nvd
26 дней назад
Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, Jervis uses padLeft(32, '0') when it should use padLeft(64, '0') because SHA-256 produces 32 bytes which equates to 64 hex characters. This vulnerability is fixed in 2.2.