Описание
Jervis's AES CBC Mode is Without Authentication
Vulnerability
AES/CBC/PKCS5Padding lacks authentication, making it vulnerable to padding oracle attacks and ciphertext manipulation.
Impact
Severity is considered low for internal uses of this library but if there's any consumer using these methods directly then this is considered critical.
Unlikely to matter due to the design of how AES-256-CBC is used in conjunction with RSA and SHA-256 checksum within Jervis.
Jervis uses RSA to encrypt AES keys and a SHA-256 checksum of the encrypted data in local-only storage inaccessible from the web. After asymmetric decryption and before symmetric decryption, a SHA-256 checksum is performed on the metadata and encrypted data. All encrypted data is discarded if the checksum does not match without attempting to decrypt since the encrypted data is assumed invalid. The data stored is GitHub App authentication tokens which will expire within one hour.
Patches
Jervis patch will migrate from AES/CBC/PKCS5Padding to AES/GCM/NoPadding.
Upgrade to Jervis 2.2.
Workarounds
None
References
Ссылки
- https://github.com/samrocketman/jervis/security/advisories/GHSA-gxp5-mv27-vjcj
- https://nvd.nist.gov/vuln/detail/CVE-2025-68931
- https://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a
- https://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L682-L684
- https://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L720-L722
- http://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a
Пакеты
net.gleske:jervis
< 2.2
2.2
Связанные уязвимости
Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, AES/CBC/PKCS5Padding lacks authentication, making it vulnerable to padding oracle attacks and ciphertext manipulation. This vulnerability is fixed in 2.2.