Vulnerability Details CVE-2021-22160
If Apache Pulsar is configured to authenticate clients using tokens based on JSON Web Tokens (JWT), the signature of the token is not validated if the algorithm of the presented token is set to "none". This allows an attacker to connect to Pulsar instances as any user (incl. admins).
Exploit prediction scoring system (EPSS) score
EPSS Score 0.185
EPSS Ranking 95.0%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 7.5
References
- https://lists.apache.org/thread.html/r347650d15a3e9c5f58b83e918b6ad6dedc2a63d3eb63da8e6a7be87e%40%3Cusers.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/r8e545559781231a83bf0644548c660255859e52feb86bbfcd42590da%40%3Cdev.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/r9a12b4da2f26ce9b8f7e7117a879efaa973dab7e54717bbc7923fab1%40%3Cdev.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/ra49cb62105154e4795b259c79a6b27d63bfa2ab5787ff8529b089550%40%3Cdev.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/ra49cb62105154e4795b259c79a6b27d63bfa2ab5787ff8529b089550%40%3Cusers.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/rbe845aa1573a61769b9c5916c62971f4b10de87c2ea5f38a97f0cf84%40%3Cdev.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/rca54f4b26ba5e6f2e39732b47ec51640e89f57e3b6a38ac3bab314df%40%3Cdev.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/rf2e90942996dceebac8296abf39257cfeb5ae918f82f7af3d37a48c5%40%3Cdev.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/r347650d15a3e9c5f58b83e918b6ad6dedc2a63d3eb63da8e6a7be87e%40%3Cusers.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/r8e545559781231a83bf0644548c660255859e52feb86bbfcd42590da%40%3Cdev.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/r9a12b4da2f26ce9b8f7e7117a879efaa973dab7e54717bbc7923fab1%40%3Cdev.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/ra49cb62105154e4795b259c79a6b27d63bfa2ab5787ff8529b089550%40%3Cdev.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/ra49cb62105154e4795b259c79a6b27d63bfa2ab5787ff8529b089550%40%3Cusers.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/rbe845aa1573a61769b9c5916c62971f4b10de87c2ea5f38a97f0cf84%40%3Cdev.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/rca54f4b26ba5e6f2e39732b47ec51640e89f57e3b6a38ac3bab314df%40%3Cdev.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/rf2e90942996dceebac8296abf39257cfeb5ae918f82f7af3d37a48c5%40%3Cdev.pulsar.apache.org%3E
Products affected by CVE-2021-22160
-
cpe:2.3:a:apache:pulsar:1.14
-
cpe:2.3:a:apache:pulsar:1.15
-
cpe:2.3:a:apache:pulsar:1.15.1
-
cpe:2.3:a:apache:pulsar:1.15.2
-
cpe:2.3:a:apache:pulsar:1.15.3
-
cpe:2.3:a:apache:pulsar:1.15.4
-
cpe:2.3:a:apache:pulsar:1.15.5
-
cpe:2.3:a:apache:pulsar:1.15.6
-
cpe:2.3:a:apache:pulsar:1.15.7
-
cpe:2.3:a:apache:pulsar:1.16
-
cpe:2.3:a:apache:pulsar:1.16.1
-
cpe:2.3:a:apache:pulsar:1.16.2
-
cpe:2.3:a:apache:pulsar:1.16.3
-
cpe:2.3:a:apache:pulsar:1.16.4
-
cpe:2.3:a:apache:pulsar:1.16.5
-
cpe:2.3:a:apache:pulsar:1.17
-
cpe:2.3:a:apache:pulsar:1.17.1
-
cpe:2.3:a:apache:pulsar:1.17.2
-
cpe:2.3:a:apache:pulsar:1.17.3
-
cpe:2.3:a:apache:pulsar:1.17.4
-
cpe:2.3:a:apache:pulsar:1.17.5
-
cpe:2.3:a:apache:pulsar:1.18
-
cpe:2.3:a:apache:pulsar:1.19.0
-
cpe:2.3:a:apache:pulsar:1.20.0
-
cpe:2.3:a:apache:pulsar:1.21.0
-
cpe:2.3:a:apache:pulsar:1.22.0
-
cpe:2.3:a:apache:pulsar:1.22.1
-
cpe:2.3:a:apache:pulsar:2.0.0
-
cpe:2.3:a:apache:pulsar:2.0.1
-
cpe:2.3:a:apache:pulsar:2.1.0
-
cpe:2.3:a:apache:pulsar:2.1.1
-
cpe:2.3:a:apache:pulsar:2.2.0
-
cpe:2.3:a:apache:pulsar:2.2.1
-
cpe:2.3:a:apache:pulsar:2.3.0
-
cpe:2.3:a:apache:pulsar:2.3.1
-
cpe:2.3:a:apache:pulsar:2.3.2
-
cpe:2.3:a:apache:pulsar:2.4.0
-
cpe:2.3:a:apache:pulsar:2.4.1
-
cpe:2.3:a:apache:pulsar:2.4.2
-
cpe:2.3:a:apache:pulsar:2.5.0
-
cpe:2.3:a:apache:pulsar:2.5.1
-
cpe:2.3:a:apache:pulsar:2.5.2
-
cpe:2.3:a:apache:pulsar:2.6.0
-
cpe:2.3:a:apache:pulsar:2.6.1
-
cpe:2.3:a:apache:pulsar:2.6.2
-
cpe:2.3:a:apache:pulsar:2.6.3
-
cpe:2.3:a:apache:pulsar:2.6.4
-
cpe:2.3:a:apache:pulsar:2.7.0