PT-2026-2497 · Cloudbees+1 · Jenkins+1
Published
2026-01-13
·
Updated
2026-01-13
·
CVE-2025-68704
CVSS v4.0
8.2
High
| Vector | AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Jervis versions prior to 2.2
Description
Jervis, a library for Job DSL plugin scripts and shared Jenkins pipeline libraries, utilizes java.util.Random(), which is not cryptographically secure and may be susceptible to timing attacks. This impacts the security of random number generation within the library.
Recommendations
Update to version 2.2 or later.
Exploit
Fix
Use of Insufficiently Random Values
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins
Jervis