Cyber Resilience

CVE-2025-68931

High

Published: 13 January 2026

Published
13 January 2026
Modified
20 January 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0017 6.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-68931 is a high-severity Improper Authentication (CWE-287) vulnerability in Samrocketman Jervis. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Stored Data Manipulation (T1565.001); ranked at the 6.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-13 (Cryptographic Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-68931 affects Jervis, a library used for Job DSL plugin scripts and shared Jenkins pipeline libraries in versions prior to 2.2. The vulnerability arises from the implementation of AES/CBC/PKCS5Padding without authentication, which exposes it to padding oracle attacks and ciphertext manipulation. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) and maps to CWEs 287 (Improper Authentication) and 327 (Broken Cryptographic Algorithm).

Remote attackers can exploit this vulnerability over the network with low attack complexity, requiring no privileges, user interaction, or special conditions. Exploitation enables high-impact integrity violations, such as modifying encrypted data through padding oracle techniques or direct ciphertext tampering, while confidentiality and availability remain unaffected.

The issue is addressed in Jervis version 2.2. Security practitioners should review the GitHub security advisory at https://github.com/samrocketman/jervis/security/advisories/GHSA-gxp5-mv27-vjcj and the fixing commit at https://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a for patch details and upgrade guidance.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, AES/CBC/PKCS5Padding lacks authentication, making it vulnerable to padding oracle attacks and ciphertext manipulation. This vulnerability is fixed in 2.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

Padding oracle and unauthenticated AES-CBC usage directly enables integrity tampering of encrypted data (ciphertext manipulation), mapping to stored data manipulation.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-68702Same product: Samrocketman Jervis
CVE-2025-68698Same product: Samrocketman Jervis
CVE-2025-68701Same product: Samrocketman Jervis
CVE-2025-68703Same product: Samrocketman Jervis
CVE-2025-68704Same product: Samrocketman Jervis
CVE-2026-34204Shared CWE-287
CVE-2025-11661Shared CWE-287
CVE-2025-1044Shared CWE-287
CVE-2025-56333Shared CWE-287
CVE-2026-1740Shared CWE-287

Affected Assets

samrocketman
jervis
≤ 2.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SC-13 requires implementation of approved cryptographic mechanisms providing both confidentiality and integrity protection, directly mitigating the unauthenticated AES/CBC/PKCS5Padding vulnerable to padding oracle attacks and ciphertext manipulation.

prevent

SI-2 mandates timely identification, reporting, and remediation of flaws like CVE-2025-68931, enabling upgrade to Jervis 2.2 which fixes the lack of authentication in encryption.

detect

SI-7 employs integrity verification mechanisms such as cryptographic hashes or digital signatures to detect unauthorized modifications to encrypted data exploited via padding oracle or tampering techniques.

References