Main Vulnerability Database Vulnerabilities #VU53540

#VU53540 Improper Authentication in Apache Pulsar - CVE-2021-22160

Published: May 25, 2021

Vulnerability identifier: #VU53540

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2021-22160

CWE-ID: CWE-287

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Apache Pulsar

Software vendor:
Apache Foundation

Description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to an error in when processing authentication requests based on JSON Web Tokens (JWT). The signature of the token is not validated if the algorithm of the presented token is set to "none". A remote attacker can bypass authentication process and connect under arbitrary account to the application, including administrative accounts.

Remediation

Install updates from vendor's website.

External links

http://seclists.org/oss-sec/2021/q2/163

#VU53540 Improper Authentication in Apache Pulsar - CVE-2021-22160

Description

Remediation

External links

Please verify you're human