Description

Pulsar uses Curl to send HTTP(S) requests and typically uses the tlsAllowInsecure_ global variable (derived from isTlsAllowInsecureConnection()) to determine whether SSL verification¹ should be enabled/disabled².
In the linked occurances, those checks do not occur and SSL verification is disabled by default which is obviously a security issue for end-users.

Impact

This vulnerability is capable of allowing an attacker to intercept and/or modify the GET request that is sent to the ClientCredentialFlow ‘issuer url’.