Описание
Jervis Has a RSA PKCS#1 Padding Vulnerability
Vulnerability
Uses PKCS1Encoding which is vulnerable to Bleichenbacher padding oracle attacks. Modern systems should use OAEP (Optimal Asymmetric Encryption Padding).
Impact
Severity is considered low for internal uses of this library but if there's any consumer using these methods directly then this is considered critical.
An attacker with access to a decryption oracle (e.g., timing differences or error messages) could potentially decrypt ciphertext without knowing the private key.
Jervis uses RSA to encrypt AES keys in local-only storage inaccessible from the web. The data stored is GitHub App authentication tokens which will expire within one hour or less.
Patches
Jervis patch will migrate from PKCS1Encoding to OAEPEncoding.
Upgrade to Jervis 2.2.
Workarounds
None
References
Ссылки
- https://github.com/samrocketman/jervis/security/advisories/GHSA-mqw7-c5gg-xq97
- https://nvd.nist.gov/vuln/detail/CVE-2025-68698
- https://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a
- https://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L463-L465
- https://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L495-L497
Пакеты
net.gleske:jervis
< 2.2
2.2
Связанные уязвимости
Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, Jervis uses PKCS1Encoding which is vulnerable to Bleichenbacher padding oracle attacks. Modern systems should use OAEP (Optimal Asymmetric Encryption Padding). This vulnerability is fixed in 2.2.