https://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L866-L874
https://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L891-L900
Same passphrase + same plaintext = same ciphertext (IV reuse)
Severity is considered low for internal uses of this library but if there's any consumer using these methods directly then this is considered high.
Significant reduction in the security of the encryption scheme. Pattern analysis becomes possible.
Random IV will be generated and prepended to the ciphertext.
Upgrade to Jervis 2.2.
None
| Score | Percentile |
|---|---|
| 0.02% | 5.45% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 7.5 | 3.1 | — |
|
| 8.7 | 4.0 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-crxp-chh4-9ghp ↗ |
| CVE | CVE-2025-68701 ↗ |
| CWE id | Name |
|---|---|
| CWE-327 | Use of a Broken or Risky Cryptographic Algorithm |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| maven | net.gleske:jervis | < 2.2 | 2.2 | — |