CVE-2025-68698

Description

### Vulnerability https://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L463-L465 https://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L495-L497 Uses `PKCS1Encoding` which is vulnerable to Bleichenbacher padding oracle attacks. Modern systems should use OAEP (Optimal Asymmetric Encryption Padding). ### Impact Severity is considered low for internal uses of this library but if there's any consumer using these methods directly then this is considered critical. An attacker with access to a decryption oracle (e.g., timing differences or error messages) could potentially decrypt ciphertext without knowing the private key. Jervis uses RSA to encrypt AES keys in local-only storage inaccessible from the web. The data stored is GitHub App authentication tokens which will expire within one hour or less. ### Patches Jervis patch will migrate from `PKCS1Encoding` to `OAEPEncoding`. Upgrade to Jervis 2.2. ### Workarounds None ### References - [Bleichenbacher's Attack on PKCS#1](https://en.wikipedia.org/wiki/Adaptive_chosen-ciphertext_attack)

Affected packages (1)

• Maven/net.gleske:jervisfrom 0, < 2.2

CVSS scores

References (6)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-68698
• PATCHhttps://github.com/samrocketman/jervis
• WEBhttps://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L463-L465
• WEBhttps://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L495-L497
• WEBhttps://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a
• WEBhttps://github.com/samrocketman/jervis/security/advisories/GHSA-mqw7-c5gg-xq97