CVE-2021-22160

Name of the Vulnerable Software and Affected Versions Apache Pulsar (affected versions not specified)

Description The issue is related to the authentication mechanism in Apache Pulsar when using JSON Web Tokens (JWT) for client authentication. If the algorithm of the presented token is set to "none", the signature of the token is not validated. This allows an attacker to connect to Pulsar instances as any user, including administrators. The vulnerability is associated with incorrect validation of the cryptographic signature, which can be exploited by a remote attacker to gain unauthorized access to protected information.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.