Vulnerabilities ›

CVE-2025-68703

High

Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, the salt is derived from sha256Sum(passphrase). Two encryption operations with the same password wil

CWE-326 — Weakness Type

                    Published: Jan 13, 2026                      ·  Modified: Feb 28, 2026                      ·  Source: NVD                

CVSS v3

7.5

🔗 NVD Official

📄 Description (English)

🤖 AI Executive Summary

Jervis library versions prior to 2.2 use a weak key derivation function where salt is derived from SHA256 of the passphrase, causing identical encryption keys for repeated passwords. This cryptographic weakness (CWE-326: Inadequate Encryption Strength) enables attackers to perform dictionary attacks and decrypt sensitive data in Jenkins pipeline configurations. Organizations using Jervis for CI/CD automation should immediately upgrade to version 2.2 or later.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 2, 2026 15:48

🇸🇦 Saudi Arabia Impact Assessment

Saudi organizations leveraging Jenkins for CI/CD pipelines in government digital transformation initiatives (NCA, CITC), banking sector (SAMA-regulated institutions, fintech), and energy sector (ARAMCO, downstream operators) face significant risk. Encrypted credentials, API keys, and deployment secrets stored in Jervis-protected pipeline configurations could be compromised through cryptanalysis. The vulnerability particularly impacts organizations with shared Jenkins infrastructure serving multiple teams, where password reuse is common.

🏢 Affected Saudi Sectors

Government (Digital Transformation, NCA) Banking & Financial Services (SAMA-regulated) Energy & Utilities (ARAMCO, downstream) Telecommunications (STC, Mobily) Healthcare (MOH systems) Technology & Software Development

🎯 MITRE ATT&CK Techniques

T1555 - Credentials from Password Stores T1110 - Brute Force (dictionary attacks on weak encryption) T1552 - Unsecured Credentials T1187 - Forced Authentication T1040 - Traffic Capture or Replay

⚖️ Saudi Risk Score (AI)

7.2

/ 10.0

🔧 Remediation Steps (English)

1. IMMEDIATE: Audit all Jenkins instances using Jervis library versions <2.2 via plugin manager and dependency scanning

2. INVENTORY: Document all encrypted secrets managed through Jervis (credentials, API keys, deployment tokens)

3. UPGRADE: Update Jervis to version 2.2 or later immediately

4. RE-ENCRYPT: After upgrade, rotate all previously encrypted secrets as they may be compromised

5. DETECTION: Implement log monitoring for Jenkins script console access and pipeline execution with Jervis operations

6. COMPENSATING CONTROL: Until patched, store sensitive credentials in external secret management systems (HashiCorp Vault, AWS Secrets Manager) instead of Jervis encryption

7. VALIDATION: Test pipeline functionality post-upgrade to ensure no regression in secret handling

🔧 خطوات المعالجة (العربية)

1. فوري: تدقيق جميع مثيلات Jenkins التي تستخدم إصدارات Jervis <2.2 عبر مدير المكونات الإضافية والفحص التبعي

2. الجرد: توثيق جميع الأسرار المشفرة المدارة عبر Jervis (بيانات الاعتماد ومفاتيح API وتوكنات النشر)

3. الترقية: تحديث Jervis إلى الإصدار 2.2 أو أحدث فوراً

4. إعادة التشفير: بعد الترقية، قم بتدوير جميع الأسرار المشفرة سابقاً لأنها قد تكون مخترقة

5. الكشف: تنفيذ مراقبة السجلات لوصول وحدة تحكم نصوص Jenkins وتنفيذ خطوط الأنابيب مع عمليات Jervis

6. التحكم البديل: حتى يتم الإصلاح، قم بتخزين بيانات الاعتماد الحساسة في أنظمة إدارة الأسرار الخارجية (HashiCorp Vault، AWS Secrets Manager) بدلاً من تشفير Jervis

7. التحقق: اختبر وظائف خط الأنابيب بعد الترقية للتأكد من عدم وجود انحدار في معالجة الأسرار

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC 2024 A.10.1.1 - Cryptographic controls and key management ECC 2024 A.8.2.3 - Secure development and change management ECC 2024 A.5.1.1 - Information security policies

🔵 SAMA CSF

SAMA CSF ID.BE-1 - Asset management and inventory SAMA CSF PR.DS-1 - Data security and encryption SAMA CSF DE.CM-1 - Detection and monitoring

🟡 ISO 27001:2022

ISO 27001:2022 A.10.1 - Cryptography ISO 27001:2022 A.8.2 - Asset management ISO 27001:2022 A.5.1 - Policies for information security

🟣 PCI DSS v4.0.1

PCI DSS 3.4 - Encryption of cardholder data PCI DSS 3.2.1 - Strong cryptography for stored data

🔗 References & Sources 2

🔗

https://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a

security-advisories@github.com

Patch

🔗

https://github.com/samrocketman/jervis/security/advisories/GHSA-36h5-vrq6-pp34

security-advisories@github.com

Patch Vendor Advisory

📦 Affected Products / CPE 1 entries

samrocketman:jervis

📊 CVSS Score

7.5

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredN — None / Network

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityH — High

IntegrityN — None / Network

AvailabilityN — None / Network

📋 Quick Facts

Severity High

CVSS Score7.5

CWECWE-326

EPSS0.01%

Exploit No

Patch ✓ Yes

Published 2026-01-13

Source Feed nvd

🇸🇦 Saudi Risk Score

7.2

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

patch-available CWE-326

🏢 Vendor Advisories

🔗 https://github.com/samrocketman/jervis/security/advi...

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2025-68703

💬 Comments

Introduce Yourself

Sign In Required