https://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L869-L870
https://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L894-L895
The salt is derived from sha256Sum(passphrase). Two encryption operations with the same password will have the same derived key.
Pre-computation attacks.
Severity is considered low for internal uses of this library and high for consumers of this library.
Jervis will generate a random salt for each password and store it alongside the ciphertext.
Upgrade to Jervis 2.2.
None
| Score | Percentile |
|---|---|
| 0.01% | 1.60% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 7.5 | 3.1 | — |
|
| 8.7 | 4.0 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-36h5-vrq6-pp34 ↗ |
| CVE | CVE-2025-68703 ↗ |
| CWE id | Name |
|---|---|
| CWE-326 | Inadequate Encryption Strength |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| maven | net.gleske:jervis | < 2.2 | 2.2 | — |