Cyber Posture

CVE-2025-68704

High

Published: 13 January 2026

Published
13 January 2026
Modified
20 January 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0005 15.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-68704 is a high-severity Use of Insufficiently Random Values (CWE-330) vulnerability in Samrocketman Jervis. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190).
Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SC-12 Cryptographic Key Establishment and Management
addresses: CWE-330

Key generation under controlled management uses approved random-bit sources rather than insufficiently random values.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Vulnerability enables remote exploitation of a public-facing Jenkins library component for sensitive data disclosure via flawed timing attack mitigation.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, Jervis uses java.util.Random() which is not cryptographically secure for timing attack mitigation. This vulnerability is fixed in 2.2.

Deeper analysisAI

CVE-2025-68704 affects Jervis, a library used for Job DSL plugin scripts and shared Jenkins pipeline libraries. In versions prior to 2.2, Jervis relies on java.util.Random(), which is not cryptographically secure, for timing attack mitigation. This flaw, classified under CWE-330 (Use of Insufficiently Random Values), carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no requirements for privileges or user interaction.

Remote attackers can exploit this vulnerability over the network with low complexity. By leveraging the predictable randomness from java.util.Random(), adversaries may conduct timing attacks to infer sensitive information processed or protected by Jervis in Jenkins environments, potentially disclosing confidential data without impacting integrity or availability.

The vulnerability is addressed in Jervis version 2.2, where the insecure random number generator is replaced. Security practitioners should upgrade to 2.2 or later, as detailed in the GitHub security advisory (GHSA-c9q6-g3hr-8gww) and the fixing commit (c3981ff71de7b0f767dfe7b37a2372cb2a51974a).

Details

CWE(s)
CWE-330

Affected Products

samrocketman
jervis
≤ 2.2

CVEs Like This One

CVE-2025-68702Same product: Samrocketman Jervis
CVE-2025-68698Same product: Samrocketman Jervis
CVE-2025-68931Same product: Samrocketman Jervis
CVE-2025-68703Same product: Samrocketman Jervis
CVE-2025-68701Same product: Samrocketman Jervis
CVE-2026-27637Shared CWE-330
CVE-2026-25072Shared CWE-330
CVE-2026-33710Shared CWE-330
CVE-2025-64097Shared CWE-330
CVE-2026-27755Shared CWE-330

References