CVE-2020-35667 – CVE-2020-35667 is a Server-Side Request Forgery... (How to Fix)

Q: What is the severity of CVE-2020-35667?

CVE-2020-35667 has a CVSS score of 7.5 (HIGH). CVE-2020-35667 is a Server-Side Request Forgery (SSRF) vulnerability in JetBrains TeamCity Plugin that allows attackers to make unauthorized requests from the server to internal systems. This could expose user credentials and other sensitive data. Organizations using vulnerable versions of TeamCity Plugin are affected.

📋 TL;DR

CVE-2020-35667 is a Server-Side Request Forgery (SSRF) vulnerability in JetBrains TeamCity Plugin that allows attackers to make unauthorized requests from the server to internal systems. This could expose user credentials and other sensitive data. Organizations using vulnerable versions of TeamCity Plugin are affected.

💻 Affected Systems

Products:

JetBrains TeamCity Plugin

Versions: All versions before 2020.2.85695

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects TeamCity Plugin installations regardless of underlying OS.

📦 What is this software?

Teamcity by Jetbrains

View all CVEs affecting Teamcity →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access internal systems, steal credentials, pivot to other network resources, and potentially achieve remote code execution.

🟠

Likely Case

Credential theft from internal services, unauthorized access to metadata services, and data exfiltration from internal APIs.

🟢

If Mitigated

Limited impact with proper network segmentation, egress filtering, and authentication controls in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

SSRF vulnerabilities are commonly exploited and tooling exists for automated exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2020.2.85695 and later

Vendor Advisory: https://blog.jetbrains.com/blog/2021/02/03/jetbrains-security-bulletin-q4-2020/

Restart Required: Yes

Instructions:

1. Update TeamCity Plugin to version 2020.2.85695 or later. 2. Restart TeamCity server. 3. Verify the update was successful.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict TeamCity server's outbound network access to only necessary services

Egress Filtering

all

Implement firewall rules to block unauthorized outbound requests from TeamCity server

🧯 If You Can't Patch

Implement strict network segmentation to isolate TeamCity from sensitive internal systems
Deploy web application firewall with SSRF protection rules

🔍 How to Verify

Check if Vulnerable:

Check TeamCity Plugin version in Administration → Plugins list

Check Version:

Check via TeamCity web interface: Administration → Plugins

Verify Fix Applied:

Confirm plugin version is 2020.2.85695 or higher in Administration → Plugins

📡 Detection & Monitoring

Log Indicators:

Unusual outbound HTTP requests from TeamCity server
Requests to internal metadata services (169.254.169.254, etc.)
Failed authentication attempts from TeamCity IP

Network Indicators:

TeamCity server making unexpected outbound HTTP/HTTPS requests
Requests to internal-only IP ranges from TeamCity

SIEM Query:

source_ip="TeamCity_Server_IP" AND (dest_ip IN internal_ranges OR dest_host LIKE "%.internal" OR dest_ip="169.254.169.254")

📊 Metadata

CVE ID: CVE-2020-35667

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-918

Published: February 3, 2021

Last Updated: November 21, 2024

🔗 References

https://blog.jetbrains.com Product
https://blog.jetbrains.com/blog/2021/02/03/jetbrains-security-bulletin-q4-2020/ Vendor Advisory
https://blog.jetbrains.com Product
https://blog.jetbrains.com/blog/2021/02/03/jetbrains-security-bulletin-q4-2020/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-35667, you might also want to check these: