CVE-2020-35667

HIGH

JetBrains TeamCity < 2020.2.85695 - Server-Side Request Forgery

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2020-35667. PoCs published by stefan-500, Diekgbbtt.

AI-analyzed exploit summary This repository contains a functional PoC for CVE-2020-35667, exploiting an XML-RPC authentication bypass in JetBrains TeamCity. The PoC simulates a fake TeamCity server to bypass server recognition and authentication checks by responding to specific XML-RPC method calls.

Description

JetBrains TeamCity Plugin before 2020.2.85695 SSRF. Vulnerability that could potentially expose user credentials.

Exploits (2)

nomisec WORKING POC

by stefan-500 · poc

https://github.com/stefan-500/teamcity-idea-cve-2020-35667-poc

View Code ZIP pw:eip

This repository contains a functional PoC for CVE-2020-35667, exploiting an XML-RPC authentication bypass in JetBrains TeamCity. The PoC simulates a fake TeamCity server to bypass server recognition and authentication checks by responding to specific XML-RPC method calls.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: JetBrains TeamCity (IntelliJ IDEA plugin)

No auth needed

Prerequisites: Network access to the target TeamCity instance · IntelliJ IDEA with TeamCity plugin installed

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 19, 2026 Full analysis →

nomisec WORKING POC

by Diekgbbtt · poc

https://github.com/Diekgbbtt/CVE-2020-35667-PoC

View Code ZIP pw:eip

This repository contains a functional proof-of-concept for CVE-2020-35667, demonstrating an SSRF vulnerability in the IntelliJ IDEA TeamCity integration plugin. The exploit leverages insufficient URL validation to force the plugin to make authenticated requests to an attacker-controlled server, leading to credential leakage.

Classification

Working Poc 95%

Attack Type

Ssrf

Complexity

Moderate

Reliability

Reliable

Target: IntelliJ IDEA TeamCity integration plugin (versions prior to patch)

No auth needed

Prerequisites: Access to the developer's host (e.g., via phishing or XSS) · TeamCity server configured in IntelliJ IDEA

MITRE ATT&CK

T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (2)

Core 2

Core References

Product x_refsource_misc

https://blog.jetbrains.com

Vendor Advisory x_refsource_misc

https://blog.jetbrains.com/blog/2021/02/03/jetbrains-security-bulletin-q4-2020/

Scores

CVSS v3 7.5

EPSS 0.0134

EPSS Percentile 67.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-918

Status published

Products (1)

jetbrains/teamcity < 2020.2.85695

Published Feb 03, 2021

Tracked Since Feb 18, 2026