Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 390b674bb133 · 2026-01-21T16:22:37.000Z
GHSA-4f99-4q7p-p3gh GHSA-67rj-pjg6-pq59 GHSA-crxp-chh4-9ghp GHSA-mqw7-c5gg-xq97
diff --git a/advisories/github-reviewed/2025/12/GHSA-4f99-4q7p-p3gh/GHSA-4f99-4q7p-p3gh.json b/advisories/github-reviewed/2025/12/GHSA-4f99-4q7p-p3gh/GHSA-4f99-4q7p-p3gh.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-4f99-4q7p-p3gh",
-  "modified": "2025-12-05T02:27:47Z",
+  "modified": "2026-01-21T16:20:52Z",
   "published": "2025-12-04T21:31:04Z",
   "aliases": [
     "CVE-2025-65637"
diff --git a/advisories/github-reviewed/2026/01/GHSA-67rj-pjg6-pq59/GHSA-67rj-pjg6-pq59.json b/advisories/github-reviewed/2026/01/GHSA-67rj-pjg6-pq59/GHSA-67rj-pjg6-pq59.json
@@ -1,14 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-67rj-pjg6-pq59",
-  "modified": "2026-01-13T21:41:00Z",
+  "modified": "2026-01-21T16:21:29Z",
   "published": "2026-01-13T14:52:31Z",
   "aliases": [
     "CVE-2025-68702"
   ],
   "summary": "Jervis Has a SHA-256 Hex String Padding Bug",
   "details": "### Vulnerability\n\nhttps://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L622-L626\n\n`padLeft(32, '0')` should be `padLeft(64, '0')`. SHA-256 produces 32 bytes = 64 hex characters.\n\n### Impact\n\n* Inconsistent hash lengths when leading bytes are zero\n* Comparison failures for hashes with leading zeros\n* Potential security issues in hash-based comparisons\n* Could cause subtle bugs in systems relying on consistent hash lengths\n\nSeverity is considered low for internal uses of this library but if there's any consumer using these methods directly then this is considered high.\n\n### Patches\n\nUpgrade to Jervis 2.2.\n\n### Workarounds\n\nUse an alternate SHA-256 hash function or upgrade.",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"
diff --git a/advisories/github-reviewed/2026/01/GHSA-crxp-chh4-9ghp/GHSA-crxp-chh4-9ghp.json b/advisories/github-reviewed/2026/01/GHSA-crxp-chh4-9ghp/GHSA-crxp-chh4-9ghp.json
@@ -1,14 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-crxp-chh4-9ghp",
-  "modified": "2026-01-13T21:40:55Z",
+  "modified": "2026-01-21T16:21:22Z",
   "published": "2026-01-13T14:51:58Z",
   "aliases": [
     "CVE-2025-68701"
   ],
   "summary": "Jervis has Deterministic AES IV Derivation from Passphrase",
   "details": "### Vulnerability\n\nhttps://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L866-L874\n\nhttps://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L891-L900\n\nSame passphrase + same plaintext = same ciphertext (IV reuse)\n\n### Impact\n\nSeverity is considered low for internal uses of this library but if there's any consumer using these methods directly then this is considered high.\n\nSignificant reduction in the security of the encryption scheme. Pattern analysis becomes possible.\n\n### Patches\n\nRandom IV will be generated and prepended to the ciphertext.\n\nUpgrade to Jervis 2.2.\n\n### Workarounds\n\nNone",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
diff --git a/advisories/github-reviewed/2026/01/GHSA-mqw7-c5gg-xq97/GHSA-mqw7-c5gg-xq97.json b/advisories/github-reviewed/2026/01/GHSA-mqw7-c5gg-xq97/GHSA-mqw7-c5gg-xq97.json
@@ -1,14 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-mqw7-c5gg-xq97",
-  "modified": "2026-01-13T21:40:47Z",
+  "modified": "2026-01-21T16:21:14Z",
   "published": "2026-01-13T14:28:57Z",
   "aliases": [
     "CVE-2025-68698"
   ],
   "summary": "Jervis Has a RSA PKCS#1 Padding Vulnerability",
   "details": "### Vulnerability\n\nhttps://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L463-L465\n\nhttps://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L495-L497\n\nUses `PKCS1Encoding` which is vulnerable to Bleichenbacher padding oracle attacks. Modern systems should use OAEP (Optimal Asymmetric Encryption Padding).\n\n### Impact\n\nSeverity is considered low for internal uses of this library but if there's any consumer using these methods directly then this is considered critical.\n\nAn attacker with access to a decryption oracle (e.g., timing differences or error messages) could potentially decrypt ciphertext without knowing the private key.\n\nJervis uses RSA to encrypt AES keys in local-only storage inaccessible from the web.  The data stored is GitHub App authentication tokens which will expire within one hour or less.\n\n### Patches\n\nJervis patch will migrate from `PKCS1Encoding` to `OAEPEncoding`.\n\nUpgrade to Jervis 2.2.\n\n### Workarounds\n\nNone\n\n### References\n\n- [Bleichenbacher's Attack on PKCS#1](https://en.wikipedia.org/wiki/Adaptive_chosen-ciphertext_attack)",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`{`
`2`	`2`	`"schema_version": "1.4.0",`
`3`	`3`	`"id": "GHSA-4f99-4q7p-p3gh",`
`4`		`- "modified": "2025-12-05T02:27:47Z",`
	`4`	`+ "modified": "2026-01-21T16:20:52Z",`
`5`	`5`	`"published": "2025-12-04T21:31:04Z",`
`6`	`6`	`"aliases": [`
`7`	`7`	`"CVE-2025-65637"`