Back to search
CVE-2021-22160
Published: May 26, 2021
Modified: Aug 3, 2024
PUBLISHED
Description
If Apache Pulsar is configured to authenticate clients using tokens based on JSON Web Tokens (JWT), the signature of the token is not validated if the algorithm of the presented token is set to "none". This allows an attacker to connect to Pulsar instances as any user (incl. admins).
| Vendor | Product | Versions |
|---|---|---|
Apache Software Foundation | Apache Pulsar | affected Apache Pulsar - < 2.7.1 |
References
[pulsar-dev] 20210527 Cutting 2.6.4 release to address CVE-2021-22160
mailing-list
x_refsource_MLIST
[pulsar-dev] 20210527 Re: [SECURITY] [CVE-2021-22160] Authentication with JWT allows use of "none"-algorithm
mailing-list
x_refsource_MLIST
[pulsar-users] 20210527 Re: [SECURITY] [CVE-2021-22160] Authentication with JWT allows use of "none"-algorithm
mailing-list
x_refsource_MLIST
[pulsar-dev] 20210527 Re: Cutting 2.6.4 release to address CVE-2021-22160
mailing-list
x_refsource_MLIST
Re: [SECURITY] [CVE-2021-22160] Authentication with JWT allows use of “none”-algorithm
mailing-list
x_refsource_MLIST
[pulsar-dev] 20210531 Re: [DISCUSS] Propose More Formal Policy for Security Patches and EOL of Versions
mailing-list
x_refsource_MLIST
[pulsar-dev] 20210604 Re: [DISCUSS] Propose More Formal Policy for Security Patches and EOL of Versions
mailing-list
x_refsource_MLIST
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now