net.gleske:jervis 2.0

Direct Vulnerabilities

Known vulnerabilities in the net.gleske:jervis package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Use of a Broken or Risky Cryptographic Algorithm net.gleske:jervis is a Self service Jenkins job generation using Jenkins Job DSL plugin groovy scripts. Reads .jervis.yml and generates a job in Jenkins. Affected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm due to improper padding of SHA-256 hex strings in the `SecurityIO.groovy` page. An attacker can cause inconsistent hash lengths and comparison failures by submitting hashes with leading zeros, potentially leading to security issues in systems that rely on consistent hash lengths. How to fix Use of a Broken or Risky Cryptographic Algorithm? Upgrade `net.gleske:jervis` to version 2.2 or higher.	[,2.2)
M Improper Verification of Cryptographic Signature net.gleske:jervis is a Self service Jenkins job generation using Jenkins Job DSL plugin groovy scripts. Reads .jervis.yml and generates a job in Jenkins. Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in the JWT verification process. An attacker can bypass signature validation by crafting a JWT with an unexpected algorithm in the header, potentially allowing unauthorized access or actions. How to fix Improper Verification of Cryptographic Signature? Upgrade `net.gleske:jervis` to version 2.2 or higher.	[,2.2)
H Use of a Broken or Risky Cryptographic Algorithm net.gleske:jervis is a Self service Jenkins job generation using Jenkins Job DSL plugin groovy scripts. Reads .jervis.yml and generates a job in Jenkins. Affected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm via the `AES/CBC/PKCS5Padding` parameter. An attacker can manipulate ciphertext or perform padding oracle attacks by exploiting the lack of authentication in the encryption process. Note: This is only exploitable if consumers use the affected encryption methods directly, as the default implementation includes additional integrity checks and key protections. How to fix Use of a Broken or Risky Cryptographic Algorithm? Upgrade `net.gleske:jervis` to version 2.2 or higher.	[,2.2)
H Use of a Broken or Risky Cryptographic Algorithm net.gleske:jervis is a Self service Jenkins job generation using Jenkins Job DSL plugin groovy scripts. Reads .jervis.yml and generates a job in Jenkins. Affected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm in `SecurityIO.groovy`. An attacker can compromise the confidentiality of encrypted data by performing pattern analysis on ciphertexts generated with the same passphrase and plaintext, as the initialization vector is deterministically derived and reused. How to fix Use of a Broken or Risky Cryptographic Algorithm? Upgrade `net.gleske:jervis` to version 2.2 or higher.	[,2.2)
H Use of a Broken or Risky Cryptographic Algorithm net.gleske:jervis is a Self service Jenkins job generation using Jenkins Job DSL plugin groovy scripts. Reads .jervis.yml and generates a job in Jenkins. Affected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm via the `PKCS1Encoding` function. An attacker can decrypt sensitive ciphertext without possessing the private key by exploiting a padding oracle, such as through timing differences or error messages. How to fix Use of a Broken or Risky Cryptographic Algorithm? Upgrade `net.gleske:jervis` to version 2.2 or higher.	[,2.2)
H Insecure Randomness net.gleske:jervis is a Self service Jenkins job generation using Jenkins Job DSL plugin groovy scripts. Reads .jervis.yml and generates a job in Jenkins. Affected versions of this package are vulnerable to Insecure Randomness via the `SecurityIO` function. An attacker can predict random delays by analyzing the output of the randomization mechanism, potentially allowing them to perform timing attacks. How to fix Insecure Randomness? Upgrade `net.gleske:jervis` to version 2.2 or higher.	[,2.2)
H Inadequate Encryption Strength net.gleske:jervis is a Self service Jenkins job generation using Jenkins Job DSL plugin groovy scripts. Reads .jervis.yml and generates a job in Jenkins. Affected versions of this package are vulnerable to Inadequate Encryption Strength in the `PBKDF2` key derivation process. An attacker can recover encryption keys by performing pre-computation attacks when the salt is deterministically derived from the password using a SHA-256 hash, resulting in identical derived keys for the same password. How to fix Inadequate Encryption Strength? Upgrade `net.gleske:jervis` to version 2.2 or higher.	[,2.2)

Vulnerability

Vulnerable Version

Use of a Broken or Risky Cryptographic Algorithm

net.gleske:jervis is a Self service Jenkins job generation using Jenkins Job DSL plugin groovy scripts. Reads .jervis.yml and generates a job in Jenkins.

Affected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm due to improper padding of SHA-256 hex strings in the SecurityIO.groovy page. An attacker can cause inconsistent hash lengths and comparison failures by submitting hashes with leading zeros, potentially leading to security issues in systems that rely on consistent hash lengths.

How to fix Use of a Broken or Risky Cryptographic Algorithm?

Upgrade net.gleske:jervis to version 2.2 or higher.

[,2.2)

Improper Verification of Cryptographic Signature

net.gleske:jervis is a Self service Jenkins job generation using Jenkins Job DSL plugin groovy scripts. Reads .jervis.yml and generates a job in Jenkins.

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in the JWT verification process. An attacker can bypass signature validation by crafting a JWT with an unexpected algorithm in the header, potentially allowing unauthorized access or actions.

How to fix Improper Verification of Cryptographic Signature?

Upgrade net.gleske:jervis to version 2.2 or higher.

[,2.2)

Use of a Broken or Risky Cryptographic Algorithm

net.gleske:jervis is a Self service Jenkins job generation using Jenkins Job DSL plugin groovy scripts. Reads .jervis.yml and generates a job in Jenkins.

Affected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm via the AES/CBC/PKCS5Padding parameter. An attacker can manipulate ciphertext or perform padding oracle attacks by exploiting the lack of authentication in the encryption process.

Note: This is only exploitable if consumers use the affected encryption methods directly, as the default implementation includes additional integrity checks and key protections.

How to fix Use of a Broken or Risky Cryptographic Algorithm?

Upgrade net.gleske:jervis to version 2.2 or higher.

[,2.2)

Use of a Broken or Risky Cryptographic Algorithm

net.gleske:jervis is a Self service Jenkins job generation using Jenkins Job DSL plugin groovy scripts. Reads .jervis.yml and generates a job in Jenkins.

Affected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm in SecurityIO.groovy. An attacker can compromise the confidentiality of encrypted data by performing pattern analysis on ciphertexts generated with the same passphrase and plaintext, as the initialization vector is deterministically derived and reused.

How to fix Use of a Broken or Risky Cryptographic Algorithm?

Upgrade net.gleske:jervis to version 2.2 or higher.

[,2.2)

Use of a Broken or Risky Cryptographic Algorithm

net.gleske:jervis is a Self service Jenkins job generation using Jenkins Job DSL plugin groovy scripts. Reads .jervis.yml and generates a job in Jenkins.

Affected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm via the PKCS1Encoding function. An attacker can decrypt sensitive ciphertext without possessing the private key by exploiting a padding oracle, such as through timing differences or error messages.

How to fix Use of a Broken or Risky Cryptographic Algorithm?

Upgrade net.gleske:jervis to version 2.2 or higher.

[,2.2)

Insecure Randomness

net.gleske:jervis is a Self service Jenkins job generation using Jenkins Job DSL plugin groovy scripts. Reads .jervis.yml and generates a job in Jenkins.

Affected versions of this package are vulnerable to Insecure Randomness via the SecurityIO function. An attacker can predict random delays by analyzing the output of the randomization mechanism, potentially allowing them to perform timing attacks.

How to fix Insecure Randomness?

Upgrade net.gleske:jervis to version 2.2 or higher.

[,2.2)

Inadequate Encryption Strength

net.gleske:jervis is a Self service Jenkins job generation using Jenkins Job DSL plugin groovy scripts. Reads .jervis.yml and generates a job in Jenkins.

Affected versions of this package are vulnerable to Inadequate Encryption Strength in the PBKDF2 key derivation process. An attacker can recover encryption keys by performing pre-computation attacks when the salt is deterministically derived from the password using a SHA-256 hash, resulting in identical derived keys for the same password.

How to fix Inadequate Encryption Strength?

Upgrade net.gleske:jervis to version 2.2 or higher.

[,2.2)

net.gleske:jervis@2.0

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

Fix vulnerabilities automatically