CVE-2025-68698

Jervis has an RSA PKCS#1 v1.5 Padding Vulnerability

CVSS 8.7 HIGHEPSS 0.1%CWE-327

Vexday Risk Score

21Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 8.7EPSS 0.1%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

13 Jan 2026Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, Jervis uses PKCS1Encoding which is vulnerable to Bleichenbacher padding oracle attacks. Modern systems should use OAEP (Optimal Asymmetric Encryption Padding). This vulnerability is fixed in 2.2.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Affected products

samrocketman · jervis

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a https://github.com/samrocketman/jervis/security/advisories/GHSA-mqw7-c5gg-xq97