Authentication with JWT allows use of “none”-algorithm
CVE-2021-22160

9.8CRITICAL

Key Information:

Vendor: Apache
Status: Apache Pulsar
Vendor: CVE Published:; 26 May 2021

Summary

If Apache Pulsar is configured to authenticate clients using tokens based on JSON Web Tokens (JWT), the signature of the token is not validated if the algorithm of the presented token is set to "none". This allows an attacker to connect to Pulsar instances as any user (incl. admins).

Affected Version(s)

Apache Pulsar Apache Pulsar < 2.7.1

References

https://lists.apache.org/thread.html/r347650d15a3e9c5f58b...

x_refsource_MISC

https://lists.apache.org/thread.html/rf2e90942996dceebac8...

mailing-listx_refsource_MLIST

https://lists.apache.org/thread.html/ra49cb62105154e4795b...

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 26, 2021
Vulnerability Reserved
Jan 5, 2021

.