GHSA-gxp5-mv27-vjcj
Suggest an improvement- Source
- https://github.com/advisories/GHSA-gxp5-mv27-vjcj
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-gxp5-mv27-vjcj/GHSA-gxp5-mv27-vjcj.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-gxp5-mv27-vjcj
- Aliases
- Published
- 2026-01-13T14:56:49Z
- Modified
- 2026-01-13T22:26:29.327999Z
- Severity
-
- 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Jervis's AES CBC Mode is Without Authentication
- Details
-
Vulnerability
https://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L682-L684
https://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L720-L722
AES/CBC/PKCS5Paddinglacks authentication, making it vulnerable to padding oracle attacks and ciphertext manipulation.Impact
Severity is considered low for internal uses of this library but if there's any consumer using these methods directly then this is considered critical.
Unlikely to matter due to the design of how AES-256-CBC is used in conjunction with RSA and SHA-256 checksum within Jervis.
Jervis uses RSA to encrypt AES keys and a SHA-256 checksum of the encrypted data in local-only storage inaccessible from the web. After asymmetric decryption and before symmetric decryption, a SHA-256 checksum is performed on the metadata and encrypted data. All encrypted data is discarded if the checksum does not match without attempting to decrypt since the encrypted data is assumed invalid. The data stored is GitHub App authentication tokens which will expire within one hour.
Patches
Jervis patch will migrate from
AES/CBC/PKCS5PaddingtoAES/GCM/NoPadding.Upgrade to Jervis 2.2.
Workarounds
None
References
- Database specific
{ "github_reviewed_at": "2026-01-13T14:56:49Z", "severity": "HIGH", "nvd_published_at": "2026-01-13T20:16:07Z", "cwe_ids": [ "CWE-287", "CWE-327" ], "github_reviewed": true }- References
-
- https://github.com/samrocketman/jervis/security/advisories/GHSA-gxp5-mv27-vjcj
- https://nvd.nist.gov/vuln/detail/CVE-2025-68931
- https://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a
- https://github.com/samrocketman/jervis
- https://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L682-L684
- https://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L720-L722
- http://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a
Affected packages
Maven / net.gleske:jervis
Package
- Name
- net.gleske:jervis
- View open source insights on deps.dev
- Purl
- pkg:maven/net.gleske/jervis
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.2