CVE-2021-22160

CVSS v3.1 9.8 (Critical)

CVSS v2.0 7.5 (High)

EPSS 1.68 % (88^th)

Affected Products 1

Advisories 1

If Apache Pulsar is configured to authenticate clients using tokens based on JSON Web Tokens (JWT), the signature of the token is not validated if the algorithm of the presented token is set to "none". This allows an attacker to connect to Pulsar instances as any user (incl. admins).

Weaknesses

CWE-347: Improper Verification of Cryptographic Signature

CVE Status: PUBLISHED
CNA: Apache Software Foundation
Published Date: 2021-05-26 13:15:07
(3 years ago)
Updated Date: 2023-11-07 03:30:09
(10 months ago)

Affected Products

Apache

Pulsar

Configuration #1

		CPE23	From	Up To
	Apache Pulsar prior 2.7.1 version	cpe:2.3:a:apache:pulsar		< 2.7.1