Chenhao Lu

**Name of the Vulnerable Software and Affected Versions** Apache Pulsar versions prior to 2.11.3 Apache Pulsar versions prior to 3.0.2 Apache Pulsar versions prior to 3.1.1 **Description** The issue is related to an observable timing discrepancy vulnerability in the Apache Pulsar SASL Authentication Provider, which can allow an attacker to forge a SASL Role Token that will pass signature verification. This vulnerability may impact the confidentiality and integrity of protected information. **Recommendations** For Apache Pulsar version 2.11, upgrade to at least version 2.11.3. For Apache Pulsar version 3.0, upgrade to at least version 3.0.2. For Apache Pulsar version 3.1, upgrade to at least version 3.1.1. For any versions prior to 2.11.3, 3.0.2, or 3.1.1, consider upgrading to one of the above patched versions and update the configured secret in the `saslJaasServerRoleTokenSignerSecretPath` file.