CVE-2020-2268

Name of the Vulnerable Software and Affected Versions Jenkins MongoDB Plugin versions 1.3 and earlier

Description A cross-site request forgery (CSRF) vulnerability allows attackers to gain access to some metadata of any arbitrary files on the Jenkins controller. This issue arises because the plugin does not perform permission checks in methods implementing form validation, enabling attackers with Overall/Read permission to exploit this vulnerability. Furthermore, the form validation methods do not require POST requests, contributing to the CSRF vulnerability.

Recommendations For Jenkins MongoDB Plugin versions 1.3 and earlier, as a temporary workaround, consider restricting access to the form validation methods to minimize the risk of exploitation. Additionally, restrict Overall/Read permission to trusted users only. At the moment, there is no information about a newer version that contains a fix for this vulnerability.