GHSA-MQW7-C5GG-XQ97

Vulnerability from github – Published: 2026-01-13 14:28 – Updated: 2026-01-21 16:21
VLAI?
Summary
Jervis Has a RSA PKCS#1 Padding Vulnerability
Details

Vulnerability

https://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L463-L465

https://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L495-L497

Uses PKCS1Encoding which is vulnerable to Bleichenbacher padding oracle attacks. Modern systems should use OAEP (Optimal Asymmetric Encryption Padding).

Impact

Severity is considered low for internal uses of this library but if there's any consumer using these methods directly then this is considered critical.

An attacker with access to a decryption oracle (e.g., timing differences or error messages) could potentially decrypt ciphertext without knowing the private key.

Jervis uses RSA to encrypt AES keys in local-only storage inaccessible from the web. The data stored is GitHub App authentication tokens which will expire within one hour or less.

Patches

Jervis patch will migrate from PKCS1Encoding to OAEPEncoding.

Upgrade to Jervis 2.2.

Workarounds

None

References

Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
8.7 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "net.gleske:jervis"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-68698"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-327"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-13T14:28:57Z",
    "nvd_published_at": "2026-01-13T20:16:07Z",
    "severity": "HIGH"
  },
  "details": "### Vulnerability\n\nhttps://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L463-L465\n\nhttps://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L495-L497\n\nUses `PKCS1Encoding` which is vulnerable to Bleichenbacher padding oracle attacks. Modern systems should use OAEP (Optimal Asymmetric Encryption Padding).\n\n### Impact\n\nSeverity is considered low for internal uses of this library but if there\u0027s any consumer using these methods directly then this is considered critical.\n\nAn attacker with access to a decryption oracle (e.g., timing differences or error messages) could potentially decrypt ciphertext without knowing the private key.\n\nJervis uses RSA to encrypt AES keys in local-only storage inaccessible from the web.  The data stored is GitHub App authentication tokens which will expire within one hour or less.\n\n### Patches\n\nJervis patch will migrate from `PKCS1Encoding` to `OAEPEncoding`.\n\nUpgrade to Jervis 2.2.\n\n### Workarounds\n\nNone\n\n### References\n\n- [Bleichenbacher\u0027s Attack on PKCS#1](https://en.wikipedia.org/wiki/Adaptive_chosen-ciphertext_attack)",
  "id": "GHSA-mqw7-c5gg-xq97",
  "modified": "2026-01-21T16:21:14Z",
  "published": "2026-01-13T14:28:57Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/samrocketman/jervis/security/advisories/GHSA-mqw7-c5gg-xq97"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68698"
    },
    {
      "type": "WEB",
      "url": "https://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/samrocketman/jervis"
    },
    {
      "type": "WEB",
      "url": "https://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L463-L465"
    },
    {
      "type": "WEB",
      "url": "https://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L495-L497"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Jervis Has a RSA PKCS#1 Padding Vulnerability"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.