Publish Advisories

GHSA-36h5-vrq6-pp34
GHSA-5pq9-5mpr-jj85
GHSA-c9q6-g3hr-8gww
GHSA-gxp5-mv27-vjcj

Author: advisory-database[bot]

advisories/github-reviewed/2026/01/GHSA-36h5-vrq6-pp34/GHSA-36h5-vrq6-pp34.json

@@ -1,14 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-36h5-vrq6-pp34",
-  "modified": "2026-01-13T21:41:07Z",
+  "modified": "2026-01-21T16:23:01Z",
   "published": "2026-01-13T14:53:50Z",
   "aliases": [
     "CVE-2025-68703"
   ],
   "summary": "Jervis's Salt for PBKDF2 derived from password",
   "details": "### Vulnerability\n\nhttps://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L869-L870\n\nhttps://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L894-L895\n\nThe salt is derived from sha256Sum(passphrase).  Two encryption operations with the same password will have the same derived key.\n\n### Impact\n\nPre-computation attacks.\n\nSeverity is considered low for internal uses of this library and high for consumers of this library.\n\n### Patches\n\nJervis will generate a random salt for each password and store it alongside the ciphertext.\n\nUpgrade to Jervis 2.2.\n\n### Workarounds\n\nNone\n\n### References\n\n- [NIST SP 800-132: Password-Based Key Derivation](https://csrc.nist.gov/publications/detail/sp/800-132/final)",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"

advisories/github-reviewed/2026/01/GHSA-5pq9-5mpr-jj85/GHSA-5pq9-5mpr-jj85.json

@@ -1,14 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-5pq9-5mpr-jj85",
-  "modified": "2026-01-13T21:41:19Z",
+  "modified": "2026-01-21T16:23:33Z",
   "published": "2026-01-13T14:56:04Z",
   "aliases": [
     "CVE-2025-68925"
   ],
   "summary": "Jervis Has a JWT Algorithm Confusion Vulnerability",
   "details": "### Vulnerability\n\nhttps://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L244-L249\n\nThe code doesn't validate that the JWT header specifies `\"alg\":\"RS256\"`.\n\n### Impact\n\nDepending on the broader system, this could allow JWT forgery.\n\nInternally this severity is low since JWT is only intended to interface with GitHub.  External users should consider severity moderate.\n\n### Patches\n\nJervis patch will explicitly verify the algorithm in the header matches expectations and further verify the JWT structure.\n\nUpgrade to Jervis 2.2.\n\n### Workarounds\n\nExternal users should consider using an alternate JWT library or upgrade.\n\n### References\n\n- [RFC 7518: JSON Web Algorithms](https://datatracker.ietf.org/doc/html/rfc7518)",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"

advisories/github-reviewed/2026/01/GHSA-c9q6-g3hr-8gww/GHSA-c9q6-g3hr-8gww.json

@@ -1,14 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-c9q6-g3hr-8gww",
-  "modified": "2026-01-13T21:41:11Z",
+  "modified": "2026-01-21T16:23:22Z",
   "published": "2026-01-13T14:55:35Z",
   "aliases": [
     "CVE-2025-68704"
   ],
   "summary": "Jervis Has Weak Random for Timing Attack Mitigation",
   "details": "### Vulnerability\n\nhttps://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L593-L594\n\nUses `java.util.Random()` which is not cryptographically secure.\n\n### Impact\n\nIf an attacker can predict the random delays, they may still be able to perform timing attacks.\n\n### Patches\n\nJervis will use `SecureRandom` for timing randomization.\n\nUpgrade to Jervis 2.2.\n\n### Workarounds\n\nNone\n\n### References\n\n- [OWASP Cryptographic Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures/)",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"

advisories/github-reviewed/2026/01/GHSA-gxp5-mv27-vjcj/GHSA-gxp5-mv27-vjcj.json

@@ -1,14 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-gxp5-mv27-vjcj",
-  "modified": "2026-01-13T21:41:25Z",
+  "modified": "2026-01-21T16:23:42Z",
   "published": "2026-01-13T14:56:49Z",
   "aliases": [
     "CVE-2025-68931"
   ],
   "summary": "Jervis's AES CBC Mode is Without Authentication",
   "details": "### Vulnerability\n\nhttps://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L682-L684\n\nhttps://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L720-L722\n\n`AES/CBC/PKCS5Padding` lacks authentication, making it vulnerable to padding oracle attacks and ciphertext manipulation.\n\n### Impact\n\nSeverity is considered low for internal uses of this library but if there's any consumer using these methods directly then this is considered critical.\n\nUnlikely to matter due to the design of how AES-256-CBC is used in conjunction with RSA and SHA-256 checksum within Jervis.\n\nJervis uses RSA to encrypt AES keys and a SHA-256 checksum of the encrypted data in local-only storage inaccessible from the web.  After asymmetric decryption and before symmetric decryption, a SHA-256 checksum is performed on the metadata and encrypted data. All encrypted data is discarded if the checksum does not match without attempting to decrypt since the encrypted data is assumed invalid.  The data stored is GitHub App authentication tokens which will expire within one hour.\n\n### Patches\n\nJervis patch will migrate from `AES/CBC/PKCS5Padding` to `AES/GCM/NoPadding`.\n\nUpgrade to Jervis 2.2.\n\n### Workarounds\n\nNone\n\n### References\n\n- [Padding Oracle Attacks](https://en.wikipedia.org/wiki/Padding_oracle_attack)",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"