CVE-2025-68704

Description

Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, Jervis uses java.util.Random() which is not cryptographically secure for timing attack mitigation. This vulnerability is fixed in 2.2.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:samrocketman:jervis:*:*:*:*:*:*:*:* - VULNERABLE

Jervis < 2.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-68704 PoC - Demonstrating insecure Random usage in Jervis < 2.2
// This PoC shows how java.util.Random() outputs can be predicted

import java.util.Random;

public class JervisRandomPredictor {
    public static void main(String[] args) {
        // Simulating Jervis's insecure random number generation
        long seed = System.currentTimeMillis();
        Random insecureRandom = new Random(seed);
        
        System.out.println("=== CVE-2025-68704 Insecure Random Demo ===");
        System.out.println("Seed: " + seed);
        
        // Generate some "random" numbers (simulating token generation)
        int[] generatedNumbers = new int[5];
        for (int i = 0; i < 5; i++) {
            generatedNumbers[i] = insecureRandom.nextInt();
            System.out.println("Generated #" + (i+1) + ": " + generatedNumbers[i]);
        }
        
        // Attacker perspective: Given observed outputs, predict next values
        System.out.println("\n=== Attacker Prediction ===");
        Random predictedRandom = new Random(seed);
        for (int i = 0; i < 5; i++) {
            int predicted = predictedRandom.nextInt();
            boolean match = (predicted == generatedNumbers[i]);
            System.out.println("Predicted #" + (i+1) + ": " + predicted + 
                             " (Match: " + match + ")");
        }
        
        System.out.println("\n[!] With SecureRandom, this prediction would be impossible");
    }
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-68704
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-68704
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-68704/
[4] VulDB https://vuldb.com/cve/CVE-2025-68704
[5] https://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a
[6] https://github.com/samrocketman/jervis/security/advisories/GHSA-c9q6-g3hr-8gww

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-68704", "sourceIdentifier": "[email protected]", "published": "2026-01-13T20:16:07.673", "lastModified": "2026-01-20T17:36:48.247", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, Jervis uses java.util.Random() which is not cryptographically secure for timing attack mitigation. This vulnerability is fixed in 2.2."}, {"lang": "es", "value": "Jervis es una biblioteca para scripts del plugin Job DSL y bibliotecas compartidas de pipeline de Jenkins. Antes de la versión 2.2, Jervis utiliza java.util.Random(), que no es criptográficamente seguro para la mitigación de ataques de temporización. Esta vulnerabilidad está corregida en la versión 2.2."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-330"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:samrocketman:jervis:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.2", "matchCriteriaId": "F1205448-6074-4B8A-B941-572D3D44F9E1"}]}]}], "references": [{"url": "https://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/samrocketman/jervis/security/advisories/GHSA-c9q6-g3hr-8gww", "source": "[email protected]", "tags": ["Vendor Advisory", "Patch"]}]}}