CVE-2025-68703
Published: 13 January 2026
Summary
CVE-2025-68703 is a high-severity Inadequate Encryption Strength (CWE-326) vulnerability in Samrocketman Jervis. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Reduce Key Space (T1600.001); ranked at the 1.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Maintaining currency with technologies and practices reduces selection of encryption mechanisms that provide inadequate strength.
Updated assessments identify when previously adequate encryption strength no longer meets current attack capabilities or compliance drivers.
Establishment procedures require selection and generation of keys with adequate length and strength for the chosen algorithm.
Specifies required cryptography types and parameters, preventing selection of inadequate encryption strength.
Prompt patching corrects inadequate encryption strength when vendors release updates that increase key sizes or algorithm security.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Predictable salt from passphrase directly reduces key derivation strength, enabling plaintext recovery from ciphertexts (matches Reduce Key Space).
NVD Description
Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, the salt is derived from sha256Sum(passphrase). Two encryption operations with the same password will have the same derived key. This vulnerability is fixed…
more
in 2.2.
Deeper analysisAI
CVE-2025-68703, published on 2026-01-13, is a vulnerability in the Jervis library, which supports Job DSL plugin scripts and shared Jenkins pipeline libraries. In versions prior to 2.2, the salt used in key derivation is computed as sha256Sum(passphrase), resulting in identical derived keys for multiple encryption operations performed with the same passphrase. This issue, classified under CWE-326 (Inadequate Encryption Strength), carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
The vulnerability enables exploitation by any network-accessible attacker without requiring privileges, user interaction, or special conditions. Attackers can achieve high confidentiality impact, such as recovering plaintext from encrypted data when multiple ciphertexts share the same passphrase-derived key.
Mitigation is provided in Jervis version 2.2, which addresses the flawed salt derivation. Security advisories recommend upgrading to 2.2 or later; details are available in the GitHub security advisory at https://github.com/samrocketman/jervis/security/advisories/GHSA-36h5-vrq6-pp34 and the fixing commit at https://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a.
Details
- CWE(s)