CVE-2021-22160
CRITICALApache Pulsar < 2.7.1 and 2.7.2 - Unauthenticated Authentication Bypass via JWT None Algorithm
Title source: llmDescription
If Apache Pulsar is configured to authenticate clients using tokens based on JSON Web Tokens (JWT), the signature of the token is not validated if the algorithm of the presented token is set to "none". This allows an attacker to connect to Pulsar instances as any user (incl. admins).
References (8)
Core 8
Core References
Mailing List, Vendor Advisory x_refsource_misc
https://lists.apache.org/thread.html/r347650d15a3e9c5f58b83e918b6ad6dedc2a63d3eb63da8e6a7be87e%40%3Cusers.pulsar.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/rf2e90942996dceebac8296abf39257cfeb5ae918f82f7af3d37a48c5%40%3Cdev.pulsar.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/ra49cb62105154e4795b259c79a6b27d63bfa2ab5787ff8529b089550%40%3Cdev.pulsar.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/ra49cb62105154e4795b259c79a6b27d63bfa2ab5787ff8529b089550%40%3Cusers.pulsar.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r8e545559781231a83bf0644548c660255859e52feb86bbfcd42590da%40%3Cdev.pulsar.apache.org%3E
Mailing List, Vendor Advisory mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r9a12b4da2f26ce9b8f7e7117a879efaa973dab7e54717bbc7923fab1%40%3Cdev.pulsar.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/rbe845aa1573a61769b9c5916c62971f4b10de87c2ea5f38a97f0cf84%40%3Cdev.pulsar.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/rca54f4b26ba5e6f2e39732b47ec51640e89f57e3b6a38ac3bab314df%40%3Cdev.pulsar.apache.org%3E
Scores
CVSS v3
9.8
EPSS
0.1853
EPSS Percentile
95.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-347
Status
published
Products (2)
apache/pulsar
< 2.7.1
org.apache.pulsar/pulsar
0 - 2.7.2Maven
Published
May 26, 2021
Tracked Since
Feb 18, 2026