CVE-2020-2268
Description
A cross-site request forgery (CSRF) vulnerability in Jenkins MongoDB Plugin 1.3 and earlier allows attackers to gain access to some metadata of any arbitrary files on the Jenkins controller.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CSRF vulnerability in Jenkins MongoDB Plugin 1.3 and earlier allows attackers to access arbitrary file metadata on the Jenkins controller.
Root
Cause
The Jenkins MongoDB Plugin up to version 1.3 lacks cross-site request forgery (CSRF) protection. This allows an attacker to trick a Jenkins administrator or user with the necessary permissions into performing unintended actions without their knowledge.
Exploitation
An attacker can craft a malicious web page or link that, when clicked by an authenticated Jenkins user, triggers a forged request to the Jenkins controller. No authentication is required for the attacker beyond luring a logged-in user to interact with the malicious content. The attack leverages the user's session to execute the CSRF payload.
Impact
Successful exploitation enables the attacker to access metadata of arbitrary files stored on the Jenkins controller. This includes information about file paths, sizes, and timestamps. While the plugin does not expose the file contents themselves, the metadata leak can aid in reconnaissance or further attacks.
Mitigation
The vulnerability is addressed in the Jenkins Security Advisory published on September 16, 2020 [1]. The advisory lists the MongoDB Plugin among several plugins with unresolved security issues, meaning a fix has not been released for the MongoDB Plugin as of the advisory date [2]. Administrators should consider disabling the plugin if not in use or apply available workarounds such as restricting access to the Jenkins controller [1][2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:mongodbMaven | <= 1.3 | — |
Affected products
3- Range: <=1.3
- Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-j6p9-hm3q-hwmjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-2268ghsaADVISORY
- www.openwall.com/lists/oss-security/2020/09/16/3ghsamailing-listx_refsource_MLISTWEB
- www.jenkins.io/security/advisory/2020-09-16/ghsax_refsource_CONFIRMWEB
News mentions
1- Jenkins Security Advisory 2020-09-16Jenkins Security Advisories · Sep 16, 2020