CVE-2021-22160 — CRITICAL (9.8)

Q: How severe is CVE-2021-22160?

CVE-2021-22160 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2021-22160?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Pulsar.

Vulnerability Description

If Apache Pulsar is configured to authenticate clients using tokens based on JSON Web Tokens (JWT), the signature of the token is not validated if the algorithm of the presented token is set to "none". This allows an attacker to connect to Pulsar instances as any user (incl. admins).

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Apache	Pulsar	< 2.7.1

Related Weaknesses (CWE)

CWE-347

References

FAQ

What is CVE-2021-22160?

CVE-2021-22160 is a vulnerability with a CVSS score of 9.8 (CRITICAL). If Apache Pulsar is configured to authenticate clients using tokens based on JSON Web Tokens (JWT), the signature of the token is not validated if the algorithm of the presented token is set to "none"...

How severe is CVE-2021-22160?

CVE-2021-22160 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2021-22160?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Pulsar.