Jervis Library Password-Based Key Derivation Vulnerability Allowing Pre-Computed Key Attacks

A vulnerability exists in the Jervis library for Job DSL plugin scripts and shared Jenkins pipeline libraries, in versions prior to 2.2. The issue arises because the salt used for password-based key derivation is derived from the SHA-256 hash of the passphrase. As a result, two encryption operations using the same password will produce identical keys, potentially allowing for pre-computation attacks. This vulnerability is considered high severity for consumers of the library, although it is low for internal users.

Impact

The vulnerability allows for pre-computation attacks, where an attacker could potentially exploit the predictable key derivation to decrypt data or forge signatures.

Reproduction

To reproduce this vulnerability, use Jervis versions prior to 2.2 and encrypt data using a passphrase. The same passphrase will always produce the same encryption key, creating a predictable pattern that can be exploited.

Remediation

Upgrade to Jervis version 2.2 or later, where this vulnerability is fixed by introducing a random salt for each password, which is stored alongside the ciphertext.