Jervis Library SHA-256 Hex String Padding Vulnerability

A vulnerability exists in the Jervis library for Job DSL plugin scripts and shared Jenkins pipeline libraries, in versions prior to 2.2. The issue arises because the library incorrectly pads SHA-256 hash outputs. SHA-256 generates a 32-byte hash, equivalent to 64 hexadecimal characters, but the library's padding function only adds enough zeros to reach 32 characters. This discrepancy can lead to inconsistent hash lengths, comparison failures for hashes with leading zeros, and potential security issues in hash-based comparisons. While this vulnerability is considered low risk for internal use of the library, it could have significant implications for external consumers who rely on these hashing methods.

Impact

The vulnerability can cause inconsistent hash lengths, leading to comparison failures for hashes with leading zeros. This could create subtle bugs in systems that depend on consistent hash lengths. Although the severity is low for internal use of the library, it is considered high for external consumers.

Reproduction

The vulnerability can be reproduced by using a version of the Jervis library prior to 2.2 and calling the 'sha256Sum' method from the 'SecurityIO' class. This method will return a SHA-256 hash that is incorrectly padded, potentially leading to the issues described in the impact section.

Remediation

Users can upgrade to Jervis version 2.2, which addresses the padding issue by correctly formatting the SHA-256 hash output.