High severityOSV Advisory· Published Jan 13, 2026· Updated Jan 13, 2026
Jervis has a Weak Random for Timing Attack Mitigation
CVE-2025-68704
Description
Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, Jervis uses java.util.Random() which is not cryptographically secure for timing attack mitigation. This vulnerability is fixed in 2.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
net.gleske:jervisMaven | < 2.2 | 2.2 |
Affected products
2- Range: jervis-0.1, jervis-0.10, jervis-0.11, …
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-c9q6-g3hr-8gwwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-68704ghsaADVISORY
- github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974aghsaWEB
- github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovyghsaWEB
- github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974aghsax_refsource_MISCWEB
- github.com/samrocketman/jervis/security/advisories/GHSA-c9q6-g3hr-8gwwghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.