Artem Godin

**Name of the Vulnerable Software and Affected Versions** JetBrains TeamCity versions prior to 2021.2 **Description** The issue allows for blind Server-Side Request Forgery (SSRF) via an XML-RPC call. This means an attacker could potentially force the server to make requests to arbitrary destinations, which could lead to internal network scanning or accessing services not intended for public exposure. **Recommendations** For versions prior to 2021.2, update to version 2021.2 or later to resolve the issue. As a temporary workaround, consider restricting access to XML-RPC calls until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** JetBrains TeamCity versions prior to 2021.2 **Description** The issue is related to a Time-of-check/Time-of-use (TOCTOU) race-condition attack in agent registration via XML-RPC. This type of attack occurs when there is a delay between the time of check and the time of use of a resource, allowing an attacker to exploit the window of opportunity. **Recommendations** For versions prior to 2021.2, update to version 2021.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the XML-RPC agent registration functionality until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** JetBrains TeamCity versions prior to 2021.2.1 **Description** The issue allows an unauthenticated attacker to cancel running builds via an XML-RPC request to the TeamCity server. **Recommendations** For versions prior to 2021.2.1, update to version 2021.2.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the XML-RPC endpoint to minimize the risk of exploitation.