Lucene search
K
SamrocketmanJervis

7 matches found

CVE
CVE
added 2026/01/13 7:29 p.m.22 views

CVE-2025-68704

CVE-2025-68704 concerns the Jervis library used by Jenkins Job DSL plugin scripts and shared pipelines. Prior to version 2.2, Jervis relies on java.util.Random() for timing attack mitigation, which is not cryptographically secure. The vulnerability, fixed in 2.2, can affect timing-related defense...

8.2CVSS6.4AI score0.00231EPSS
CVE
CVE
added 2026/01/13 7:16 p.m.19 views

CVE-2025-68698

CVE-2025-68698 affects the Jervis library (used by Jenkins Job DSL scripts and shared pipelines). Before version 2.2, Jervis uses PKCS1Encoding, making it vulnerable to Bleichenbacher padding oracle attacks. The issue is mitigated by upgrading to Jervis 2.2 or newer, which switches to OAEP paddin...

8.7CVSS6.5AI score0.00128EPSS
CVE
CVE
added 2026/01/13 7:30 p.m.19 views

CVE-2025-68925

Summary (CVE-2025-68925): Jervis (net.gleske:jervis) is vulnerable prior to version 2.2 due to a JWT header check omission that fails to enforce the algorithm field (alg) to RS256. The issue allows potential JWT forgery or signature bypass depending on context, as described in multiple sources (e...

6.9CVSS6.7AI score0.00128EPSS
CVE
CVE
added 2026/01/13 7:21 p.m.16 views

CVE-2025-68701

CVE-2025-68701 affects Jervis (Job DSL/Jenkins shared libraries). Prior to version 2.2, Jervis derives the AES IV deterministically from a passphrase, enabling cryptographic weaknesses as described in multiple sources. The vulnerability is fixed in 2.2; remediation is to upgrade to Jervis 2.2 or ...

8.7CVSS6.4AI score0.00202EPSS
CVE
CVE
added 2026/01/13 7:26 p.m.16 views

CVE-2025-68702

The CVE affects net.gleske:jervis (Jervis) prior to version 2.2. In SecurityIO.groovy, padLeft(32, '0') is used for SHA-256 hex strings, but SHA-256 produces 32 bytes = 64 hex characters; this causes inconsistent hash lengths and potential issues in hash comparisons. The issue is fixed in Jervis ...

8.7CVSS6.4AI score0.00147EPSS
CVE
CVE
added 2026/01/13 7:17 p.m.15 views

CVE-2025-68931

Jervis (net.gleske:jervis) before version 2.2 uses AES/CBC/PKCS5Padding without authentication, making it susceptible to padding oracle attacks and ciphertext manipulation. The issue is fixed in Jervis 2.2 by migrating to AES/GCM/NoPadding. Affected products: Jervis library for Job DSL plugin scr...

8.7CVSS6.4AI score0.00172EPSS
CVE
CVE
added 2026/01/13 7:27 p.m.14 views

CVE-2025-68703

CVE-2025-68703 affects the Jervis library used with Jenkins Job DSL and shared pipelines. Prior to version 2.2, the salt for PBKDF2 is derived from the SHA-256 hash of the passphrase, causing two encryption operations using the same password to yield the same derived key. This design enables pre-...

8.7CVSS6.5AI score0.00116EPSS