High severityOSV Advisory· Published Jan 13, 2026· Updated Jan 13, 2026
Jervis has a Salt for PBKDF2 derived from password
CVE-2025-68703
Description
Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, the salt is derived from sha256Sum(passphrase). Two encryption operations with the same password will have the same derived key. This vulnerability is fixed in 2.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
net.gleske:jervisMaven | < 2.2 | 2.2 |
Affected products
2- Range: jervis-0.1, jervis-0.10, jervis-0.11, …
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-36h5-vrq6-pp34ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-68703ghsaADVISORY
- github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974aghsaWEB
- github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovyghsaWEB
- github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovyghsaWEB
- github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974aghsax_refsource_MISCWEB
- github.com/samrocketman/jervis/security/advisories/GHSA-36h5-vrq6-pp34ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.