CVE-2025-68702
HIGH7.5EPSS 0.02%Jervis Has a SHA-256 Hex String Padding Bug
描述
### Vulnerability https://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L622-L626 `padLeft(32, '0')` should be `padLeft(64, '0')`. SHA-256 produces 32 bytes = 64 hex characters. ### Impact * Inconsistent hash lengths when leading bytes are zero * Comparison failures for hashes with leading zeros * Potential security issues in hash-based comparisons * Could cause subtle bugs in systems relying on consistent hash lengths Severity is considered low for internal uses of this library but if there's any consumer using these methods directly then this is considered high. ### Patches Upgrade to Jervis 2.2. ### Workarounds Use an alternate SHA-256 hash function or upgrade.
受影響套件(1)
- Maven/net.gleske:jervisfrom 0, < 2.2
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
參考連結(6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-68702
- PATCHhttps://github.com/samrocketman/jervis
- WEBhttp://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a
- WEBhttps://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L622-L626
- WEBhttps://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a
- WEBhttps://github.com/samrocketman/jervis/security/advisories/GHSA-67rj-pjg6-pq59