CVE-2025-68931
Published: 13 January 2026
Summary
CVE-2025-68931 is a high-severity Improper Authentication (CWE-287) vulnerability in Samrocketman Jervis. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Stored Data Manipulation (T1565.001); ranked at the 10.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Detects unauthorized successful logons resulting from improper authentication implementations.
Documented procedures ensure personnel are trained on authentication mechanisms, tangibly lowering the risk of improper authentication being exploited.
Security awareness training instructs users on secure authentication practices and avoiding credential compromise.
Training on authentication mechanisms and best practices decreases the occurrence of improper authentication.
Contacts with security groups provide timely information on broken or risky cryptographic algorithms, reducing the likelihood of their selection and use.
Non-repudiation requires strong authentication mechanisms to irrefutably attribute performed actions to specific individuals or processes.
Session content review can reveal authentication bypasses or failures in session establishment.
Review of authentication-related audit records can detect improper authentication mechanisms or bypasses.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Padding oracle and unauthenticated AES-CBC usage directly enables integrity tampering of encrypted data (ciphertext manipulation), mapping to stored data manipulation.
NVD Description
Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, AES/CBC/PKCS5Padding lacks authentication, making it vulnerable to padding oracle attacks and ciphertext manipulation. This vulnerability is fixed in 2.2.
Deeper analysisAI
CVE-2025-68931 affects Jervis, a library used for Job DSL plugin scripts and shared Jenkins pipeline libraries in versions prior to 2.2. The vulnerability arises from the implementation of AES/CBC/PKCS5Padding without authentication, which exposes it to padding oracle attacks and ciphertext manipulation. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) and maps to CWEs 287 (Improper Authentication) and 327 (Broken Cryptographic Algorithm).
Remote attackers can exploit this vulnerability over the network with low attack complexity, requiring no privileges, user interaction, or special conditions. Exploitation enables high-impact integrity violations, such as modifying encrypted data through padding oracle techniques or direct ciphertext tampering, while confidentiality and availability remain unaffected.
The issue is addressed in Jervis version 2.2. Security practitioners should review the GitHub security advisory at https://github.com/samrocketman/jervis/security/advisories/GHSA-gxp5-mv27-vjcj and the fixing commit at https://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a for patch details and upgrade guidance.
Details
- CWE(s)