CVE-2025-68703
Unknown Unknown - Not Provided
Key Derivation Weakness in Jervis Library Enables Encryption Key Reuse

Publication date: 2026-01-13

Last updated on: 2026-01-13

Assigner: GitHub, Inc.

Description
Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, the salt is derived from sha256Sum(passphrase). Two encryption operations with the same password will have the same derived key. This vulnerability is fixed in 2.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-13
Last Modified
2026-01-13
Generated
2026-06-16
AI Q&A
2026-01-14
EPSS Evaluated
2026-06-15
NVD
CVE-2025-68703
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gleske jervis to 2.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-326 The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-68703 is a vulnerability in the Jervis library versions prior to 2.2 where the salt used for the PBKDF2 key derivation function is deterministically derived from the password itself by taking the SHA-256 hash of the passphrase. This causes the same salt and thus the same derived key to be generated for repeated encryption operations using the same password. This design flaw enables pre-computation attacks, allowing attackers to reuse computed keys or precompute hashes for common passwords, significantly weakening the security of the key derivation process. The issue is fixed in version 2.2 by generating a random salt for each password and storing it alongside the ciphertext, ensuring unique key derivation even for the same password. [1]

Impact Analysis

This vulnerability can impact you by weakening the security of encrypted data when using Jervis versions prior to 2.2. Because the salt is derived deterministically from the password, attackers can perform pre-computation attacks, potentially allowing them to recover encryption keys or decrypt data encrypted with the same password. This is considered a high severity risk for external consumers of the library, as it compromises confidentiality and security of encrypted information. The vulnerability is less severe for internal uses. The only mitigation is upgrading to Jervis version 2.2 or later. [1]

Detection Guidance

This vulnerability can be detected by identifying if your system is using Jervis versions prior to 2.2, which use a deterministic salt derived from sha256Sum(passphrase) for key derivation. You can check the version of the Jervis library in your environment. Since the vulnerability relates to the encryption implementation, inspecting the code or binaries for the presence of the vulnerable key derivation method (salt = sha256Sum(passphrase).toLowerCase()) can help detect it. There are no specific network detection commands provided. To check the version, you might use commands like 'mvn dependency:list | grep jervis' if using Maven, or check your build files or dependency manifests. No direct commands for detecting the vulnerability on the network or system are provided. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade the Jervis library to version 2.2 or later, where the vulnerability is fixed by generating a random salt for each password and storing it alongside the ciphertext, ensuring unique key derivation. No other workarounds are available. Upgrading will also bring improvements such as migration to AES-256-GCM encryption and stronger RSA key handling. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68703. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart