PT-2026-2556 · Cloudbees+1 · Jenkins+1
Published
2026-01-13
·
Updated
2026-01-13
·
CVE-2025-68925
CVSS v4.0
6.9
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Jervis versions prior to 2.2
Description
The Jervis library, used for Job DSL plugin scripts and shared Jenkins pipeline libraries, does not validate the algorithm specified in the JWT header, specifically checking for "alg":"RS256". This could potentially allow for unauthorized access or manipulation of Jenkins pipelines.
Recommendations
Update Jervis to version 2.2 or later.
Exploit
Fix
Improper Verification of Cryptographic Signature
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins
Jervis