GHSA-crxp-chh4-9ghp
Suggest an improvement- Source
- https://github.com/advisories/GHSA-crxp-chh4-9ghp
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-crxp-chh4-9ghp/GHSA-crxp-chh4-9ghp.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-crxp-chh4-9ghp
- Aliases
- Published
- 2026-01-13T14:51:58Z
- Modified
- 2026-01-13T21:56:37.755733Z
- Severity
-
- 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Jervis has Deterministic AES IV Derivation from Passphrase
- Details
-
Vulnerability
https://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L866-L874
https://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L891-L900
Same passphrase + same plaintext = same ciphertext (IV reuse)
Impact
Severity is considered low for internal uses of this library but if there's any consumer using these methods directly then this is considered high.
Significant reduction in the security of the encryption scheme. Pattern analysis becomes possible.
Patches
Random IV will be generated and prepended to the ciphertext.
Upgrade to Jervis 2.2.
Workarounds
None
- Database specific
{ "nvd_published_at": "2026-01-13T20:16:07Z", "cwe_ids": [ "CWE-327" ], "github_reviewed_at": "2026-01-13T14:51:58Z", "severity": "HIGH", "github_reviewed": true }- References
-
- https://github.com/samrocketman/jervis/security/advisories/GHSA-crxp-chh4-9ghp
- https://nvd.nist.gov/vuln/detail/CVE-2025-68701
- https://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a
- https://github.com/samrocketman/jervis
- https://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L866-L874
- https://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L891-L900
- http://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a
Affected packages
Maven / net.gleske:jervis
Package
- Name
- net.gleske:jervis
- View open source insights on deps.dev
- Purl
- pkg:maven/net.gleske/jervis
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.2