Jervis
CVE-2025-68698
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3Blast Radius
ecosystem impact- 1 maven packages depend on net.gleske:jervis (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 2.2.
DescriptionGitHub Advisory
Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, Jervis uses PKCS1Encoding which is vulnerable to Bleichenbacher padding oracle attacks. Modern systems should use OAEP (Optimal Asymmetric Encryption Padding). This vulnerability is fixed in 2.2.
AnalysisAI
Jervis versions up to 2.2 is affected by use of a broken or risky cryptographic algorithm (CVSS 7.5).
Technical ContextAI
This vulnerability (CWE-327: Use of a Broken or Risky Cryptographic Algorithm) affects Jervis. Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, Jervis uses PKCS1Encoding which is vulnerable to Bleichenbacher padding oracle attacks. Modern systems should use OAEP (Optimal Asymmetric Encryption Padding). This vulnerability is fixed in 2.2.
RemediationAI
A vendor patch is available — apply it immediately. Fixed in version 2.2.. Restrict network access to the affected service where possible.
Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, Jervis uses java.uti
Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, AES/CBC/PKCS5Padding
Jervis versions up to 2.2 is affected by use of a broken or risky cryptographic algorithm (CVSS 7.5).
Jervis versions up to 2.2 is affected by use of a broken or risky cryptographic algorithm (CVSS 7.5).
Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, the salt is derived
Jervis versions up to 2.2 is affected by improper verification of cryptographic signature (CVSS 5.3).
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-mqw7-c5gg-xq97