Advisories for Maven/Net.gleske/Jervis package

Pre-computation attacks. Severity is considered low for internal uses of this library and high for consumers of this library.

Severity is considered low for internal uses of this library but if there's any consumer using these methods directly then this is considered critical. Unlikely to matter due to the design of how AES-256-CBC is used in conjunction with RSA and SHA-256 checksum within Jervis. Jervis uses RSA to encrypt AES keys and a SHA-256 checksum of the encrypted data in local-only storage inaccessible from the web. After asymmetric decryption …

If an attacker can predict the random delays, they may still be able to perform timing attacks.

Severity is considered low for internal uses of this library but if there's any consumer using these methods directly then this is considered high. Significant reduction in the security of the encryption scheme. Pattern analysis becomes possible.

Inconsistent hash lengths when leading bytes are zero Comparison failures for hashes with leading zeros Potential security issues in hash-based comparisons Could cause subtle bugs in systems relying on consistent hash lengths Severity is considered low for internal uses of this library but if there's any consumer using these methods directly then this is considered high.

Severity is considered low for internal uses of this library but if there's any consumer using these methods directly then this is considered critical. An attacker with access to a decryption oracle (e.g., timing differences or error messages) could potentially decrypt ciphertext without knowing the private key. Jervis uses RSA to encrypt AES keys in local-only storage inaccessible from the web. The data stored is GitHub App authentication tokens which …

Depending on the broader system, this could allow JWT forgery. Internally this severity is low since JWT is only intended to interface with GitHub. External users should consider severity moderate.