Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 3aa31f468b0a · 2026-01-13T14:53:59.000Z
GHSA-67rj-pjg6-pq59 GHSA-crxp-chh4-9ghp
diff --git a/advisories/github-reviewed/2026/01/GHSA-67rj-pjg6-pq59/GHSA-67rj-pjg6-pq59.json b/advisories/github-reviewed/2026/01/GHSA-67rj-pjg6-pq59/GHSA-67rj-pjg6-pq59.json
@@ -0,0 +1,65 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-67rj-pjg6-pq59",
+  "modified": "2026-01-13T14:52:31Z",
+  "published": "2026-01-13T14:52:31Z",
+  "aliases": [
+    "CVE-2025-68702"
+  ],
+  "summary": "Jervis Has a SHA-256 Hex String Padding Bug",
+  "details": "### Vulnerability\n\nhttps://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L622-L626\n\n`padLeft(32, '0')` should be `padLeft(64, '0')`. SHA-256 produces 32 bytes = 64 hex characters.\n\n### Impact\n\n* Inconsistent hash lengths when leading bytes are zero\n* Comparison failures for hashes with leading zeros\n* Potential security issues in hash-based comparisons\n* Could cause subtle bugs in systems relying on consistent hash lengths\n\nSeverity is considered low for internal uses of this library but if there's any consumer using these methods directly then this is considered high.\n\n### Patches\n\nUpgrade to Jervis 2.2.\n\n### Workarounds\n\nUse an alternate SHA-256 hash function or upgrade.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "net.gleske:jervis"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.2"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/samrocketman/jervis/security/advisories/GHSA-67rj-pjg6-pq59"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/samrocketman/jervis"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L622-L626"
+    },
+    {
+      "type": "WEB",
+      "url": "http://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-327"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-01-13T14:52:31Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/01/GHSA-crxp-chh4-9ghp/GHSA-crxp-chh4-9ghp.json b/advisories/github-reviewed/2026/01/GHSA-crxp-chh4-9ghp/GHSA-crxp-chh4-9ghp.json
@@ -0,0 +1,69 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-crxp-chh4-9ghp",
+  "modified": "2026-01-13T14:51:58Z",
+  "published": "2026-01-13T14:51:58Z",
+  "aliases": [
+    "CVE-2025-68701"
+  ],
+  "summary": "Jervis has Deterministic AES IV Derivation from Passphrase",
+  "details": "### Vulnerability\n\nhttps://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L866-L874\n\nhttps://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L891-L900\n\nSame passphrase + same plaintext = same ciphertext (IV reuse)\n\n### Impact\n\nSeverity is considered low for internal uses of this library but if there's any consumer using these methods directly then this is considered high.\n\nSignificant reduction in the security of the encryption scheme. Pattern analysis becomes possible.\n\n### Patches\n\nRandom IV will be generated and prepended to the ciphertext.\n\nUpgrade to Jervis 2.2.\n\n### Workarounds\n\nNone",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "net.gleske:jervis"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.2"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/samrocketman/jervis/security/advisories/GHSA-crxp-chh4-9ghp"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/samrocketman/jervis"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L866-L874"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L891-L900"
+    },
+    {
+      "type": "WEB",
+      "url": "http://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-327"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-01-13T14:51:58Z",
+    "nvd_published_at": null
+  }
+}
