Jenkins MongoDB Plugin 1.3 and earlier does not perform permission checks in methods implementing form validation.
This allows attackers with Overall/Read permission to gain access to some metadata of any arbitrary files on the Jenkins controller.
Additionally, these form validation methods do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.
As of publication of this advisory, there is no fix.