Insecure Randomness Affecting net.gleske:jervis package, versions [,2.2)

Q: How to fix?

Upgrade net.gleske:jervis to version 2.2 or higher.

Threat Intelligence

0.05% (15^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Insecure Randomness vulnerabilities in an interactive lesson.

Start learning

Snyk IDSNYK-JAVA-NETGLESKE-14927394
published15 Jan 2026
disclosed13 Jan 2026
creditUnknown

Report a new vulnerability Found a mistake?

Introduced: 13 Jan 2026

CVE-2025-68704 (opens in a new tab) CWE-338 (opens in a new tab)

How to fix?

Upgrade net.gleske:jervis to version 2.2 or higher.

Overview

net.gleske:jervis is a Self service Jenkins job generation using Jenkins Job DSL plugin groovy scripts. Reads .jervis.yml and generates a job in Jenkins.

Affected versions of this package are vulnerable to Insecure Randomness via the SecurityIO function. An attacker can predict random delays by analyzing the output of the randomization mechanism, potentially allowing them to perform timing attacks.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
High
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
High
Integrity (VI)
None
Availability (VA)
None

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None