If Apache Pulsar is configured to authenticate clients using tokens based on JSON Web Tokens (JWT), the signature of the token is not validated if the algorithm of the presented token is set to "none". This allows an attacker to connect to Pulsar instances as any user (incl. admins).
References
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: apache
Published: 2021-05-26T12:22:31
Updated: 2021-06-04T20:06:14
Reserved: 2021-01-05T00:00:00
Link: CVE-2021-22160
JSON object: View
NVD Information
Status : Modified
Published: 2021-05-26T13:15:07.697
Modified: 2023-11-07T03:30:09.680
Link: CVE-2021-22160
JSON object: View
Redhat Information
No data.
CWE