Skip to main content

MongoDB CVE-2020-2268

HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2020-09-16 jenkinsci-cert@googlegroups.com
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Sep 16, 2020 - 14:15 nvd
HIGH 8.8

DescriptionNVD

A cross-site request forgery (CSRF) vulnerability in Jenkins MongoDB Plugin 1.3 and earlier allows attackers to gain access to some metadata of any arbitrary files on the Jenkins controller.

AnalysisAI

A cross-site request forgery (CSRF) vulnerability in Jenkins MongoDB Plugin 1.3 and earlier allows attackers to gain access to some metadata of any arbitrary files on the Jenkins controller. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Request Forgery (CSRF) (CWE-352), which allows attackers to trick authenticated users into performing unintended actions. A cross-site request forgery (CSRF) vulnerability in Jenkins MongoDB Plugin 1.3 and earlier allows attackers to gain access to some metadata of any arbitrary files on the Jenkins controller. Affected products include: Jenkins Mongodb.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Implement anti-CSRF tokens, validate Origin/Referer headers, use SameSite cookie attribute.

CVE-2013-1892 MEDIUM POC
6.0 Oct 01

MongoDB before 2.0.9 and 2.2.x before 2.2.4 does not properly validate requests to the nativeHelper function in SpiderMo

CVE-2013-3969 MEDIUM POC
6.5 Oct 01

The find prototype in scripting/engine_v8.h in MongoDB 2.4.0 through 2.4.4 allows remote authenticated users to cause a

CVE-2026-25887 HIGH POC
7.2 Mar 06

Remote code execution in Chartbrew versions prior to 4.8.1 allows authenticated attackers with high privileges to execut

CVE-2019-2386 HIGH POC
7.1 Aug 06

After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's

CVE-2012-6619 MEDIUM POC
6.4 Mar 06

The default configuration for MongoDB before 2.3.2 does not validate objects, which allows remote authenticated users to

CVE-2026-3431 CRITICAL
9.8 Mar 02

SimStudio below 0.5.74 has a missing authorization on MongoDB tool endpoints that allows attackers to execute arbitrary

CVE-2024-8654 CRITICAL
9.8 Sep 10

MongoDB Server may access non-initialized region of memory leading to unexpected behaviour when zero arguments are calle

CVE-2024-1351 CRITICAL
9.8 Mar 07

Under certain configurations of --tlsCAFile and tls.CAFile, MongoDB Server may skip peer certificate validation which ma

CVE-2021-20333 MEDIUM POC
5.3 Jul 23

Sending specially crafted commands to a MongoDB Server may result in artificial log entries being generated or for log e

CVE-2017-15535 CRITICAL
9.1 Nov 01

MongoDB 3.4.x before 3.4.10, and 3.5.x-development, has a disabled-by-default configuration setting, networkMessageCompr

CVE-2013-2132 MEDIUM POC
4.3 Aug 15

bson/_cbsonmodule.c in the mongo-python-driver (aka. Rated medium severity (CVSS 4.3), this vulnerability is remotely ex

CVE-2026-11933 HIGH
8.7 Jun 12

Memory disclosure and denial of service in MongoDB Server's server-side JavaScript engine allow an authenticated user wi

Share

CVE-2020-2268 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy