CVE-2020-2267
Description
A missing permission check in Jenkins MongoDB Plugin 1.3 and earlier allows attackers with Overall/Read permission to gain access to some metadata of any arbitrary files on the Jenkins controller.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Missing permission check in Jenkins MongoDB Plugin 1.3 and earlier allows attackers with Overall/Read to access file metadata.
Vulnerability
CVE-2020-2267 is a missing permission check in Jenkins MongoDB Plugin version 1.3 and earlier. The plugin fails to verify that a user has the necessary permissions before allowing access to certain operations, enabling attackers with only Overall/Read permission to retrieve metadata of arbitrary files on the Jenkins controller.[1][2]
Exploitation
An attacker must have Overall/Read permission, a common privilege granted to many Jenkins users. By exploiting the missing check, the attacker can query the plugin to obtain file metadata such as size, modification timestamps, and possibly other attributes for any file on the controller's filesystem. No additional authentication or network position beyond being a Jenkins user is required.[1][3]
Impact
The attacker gains access to sensitive information about files on the Jenkins controller, which could include configuration files, secrets, or logs. This information leakage may aid in further attacks against the Jenkins instance or the underlying system.
Mitigation
As of the advisory publication, no fix was available for the MongoDB Plugin (it is listed as an unresolved security issue). Users are advised to remove or disable the plugin if not required, or to restrict the number of users with Overall/Read permission.[1][2] The plugin's GitHub repository confirms the lack of an updated release.[4]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:mongodbMaven | <= 1.3 | — |
Affected products
3- Range: <=1.3
- Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-c26h-8h4p-4jgjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-2267ghsaADVISORY
- www.openwall.com/lists/oss-security/2020/09/16/3ghsamailing-listx_refsource_MLISTWEB
- www.jenkins.io/security/advisory/2020-09-16/ghsax_refsource_CONFIRMWEB
News mentions
1- Jenkins Security Advisory 2020-09-16Jenkins Security Advisories · Sep 16, 2020