GHSA-mqw7-c5gg-xq97

Source

https://github.com/advisories/GHSA-mqw7-c5gg-xq97

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-mqw7-c5gg-xq97/GHSA-mqw7-c5gg-xq97.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-mqw7-c5gg-xq97

Aliases

CVE-2025-68698

Published

2026-01-13T14:28:57Z

Modified

2026-02-03T03:11:54.190383Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Jervis Has a RSA PKCS#1 Padding Vulnerability

Details

Vulnerability

https://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L463-L465

https://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L495-L497

Uses PKCS1Encoding which is vulnerable to Bleichenbacher padding oracle attacks. Modern systems should use OAEP (Optimal Asymmetric Encryption Padding).

Impact

Severity is considered low for internal uses of this library but if there's any consumer using these methods directly then this is considered critical.

An attacker with access to a decryption oracle (e.g., timing differences or error messages) could potentially decrypt ciphertext without knowing the private key.

Jervis uses RSA to encrypt AES keys in local-only storage inaccessible from the web. The data stored is GitHub App authentication tokens which will expire within one hour or less.

Patches

Jervis patch will migrate from PKCS1Encoding to OAEPEncoding.

Upgrade to Jervis 2.2.

Workarounds

None

References

Bleichenbacher's Attack on PKCS#1

Database specific

{
    "nvd_published_at": "2026-01-13T20:16:07Z",
    "github_reviewed_at": "2026-01-13T14:28:57Z",
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-327"
    ],
    "github_reviewed": true
}

References

Affected packages

Maven / net.gleske:jervis

Package

Name: net.gleske:jervis; View open source insights on deps.dev
Purl: pkg:maven/net.gleske/jervis

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.2

Affected versions

0.*

0.1

0.2

0.3

0.4

0.5

0.5.1

0.5.2

0.6

0.7

0.8

0.9

0.10

0.11

0.12

0.13

1.*

1.0

1.1

1.2

1.3

1.4

1.5

1.6

1.7

2.*

2.0

2.0.1

2.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-mqw7-c5gg-xq97/GHSA-mqw7-c5gg-xq97.json"