CVE-2021-22160: Improper Verification of Cryptographic Signature

May 26, 2021 (updated June 4, 2022)

If Apache Pulsar is configured to authenticate clients using tokens based on JSON Web Tokens (JWT), the signature of the token is not validated if the algorithm of the presented token is set to “none”. This allows an attacker to connect to Pulsar instances as any user (incl. admins).

References

nvd.nist.gov/vuln/detail/CVE-2021-22160

Code Behaviors & Features

Detect and mitigate CVE-2021-22160 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →