Jervis
CVE-2025-68703
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3Blast Radius
ecosystem impact- 1 maven packages depend on net.gleske:jervis (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 2.2.
DescriptionGitHub Advisory
Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, the salt is derived from sha256Sum(passphrase). Two encryption operations with the same password will have the same derived key. This vulnerability is fixed in 2.2.
AnalysisAI
Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, the salt is derived from sha256Sum(passphrase). [CVSS 7.5 HIGH]
Technical ContextAI
Classified as CWE-326 (Inadequate Encryption Strength). Affects Jervis. Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, the salt is derived from sha256Sum(passphrase). Two encryption operations with the same password will have the same derived key. This vulnerability is fixed in 2.2.
RemediationAI
A vendor patch is available — apply it immediately. Fixed in version 2.2.. Restrict network access to the affected service where possible.
Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, Jervis uses java.uti
Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, AES/CBC/PKCS5Padding
Jervis versions up to 2.2 is affected by use of a broken or risky cryptographic algorithm (CVSS 7.5).
Jervis versions up to 2.2 is affected by use of a broken or risky cryptographic algorithm (CVSS 7.5).
Jervis versions up to 2.2 is affected by use of a broken or risky cryptographic algorithm (CVSS 7.5).
Jervis versions up to 2.2 is affected by improper verification of cryptographic signature (CVSS 5.3).
Same weakness CWE-326 – Inadequate Encryption Strength
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-36h5-vrq6-pp34