Pulsar uses Curl to send HTTP(S) requests and typically uses the tlsAllowInsecure_
global variable (derived from isTlsAllowInsecureConnection()
) to determine whether SSL verification¹ should be enabled/disabled².
In the linked occurances, those checks do not occur and SSL verification is disabled by default which is obviously a security issue for end-users.
This vulnerability is capable of allowing an attacker to intercept and/or modify the GET request that is sent to the ClientCredentialFlow
‘issuer url’.