CVE-2021-22160: Improper Verification of Cryptographic Signature

June 1, 2021 (updated June 7, 2021)

If Apache Pulsar is configured to authenticate clients using tokens based on JSON Web Tokens (JWT), the signature of the token is not validated if the algorithm of the presented token is set to “none”. This allows an attacker to connect to Pulsar instances as any user (incl. admins).

References

github.com/advisories/GHSA-3cv4-xxv7-934q
github.com/apache/pulsar/releases/tag/v2.7.2
nvd.nist.gov/vuln/detail/CVE-2021-22160

Detect and mitigate CVE-2021-22160 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →