cve-2021-22160
Vulnerability from cvelistv5
Published
2021-05-26 12:22
Modified
2024-08-03 18:37
Severity ?
Summary
Authentication with JWT allows use of “none”-algorithm
References
security@apache.orghttps://lists.apache.org/thread.html/r347650d15a3e9c5f58b83e918b6ad6dedc2a63d3eb63da8e6a7be87e%40%3Cusers.pulsar.apache.org%3EMailing List, Vendor Advisory
security@apache.orghttps://lists.apache.org/thread.html/r8e545559781231a83bf0644548c660255859e52feb86bbfcd42590da%40%3Cdev.pulsar.apache.org%3E
security@apache.orghttps://lists.apache.org/thread.html/r9a12b4da2f26ce9b8f7e7117a879efaa973dab7e54717bbc7923fab1%40%3Cdev.pulsar.apache.org%3EMailing List, Vendor Advisory
security@apache.orghttps://lists.apache.org/thread.html/ra49cb62105154e4795b259c79a6b27d63bfa2ab5787ff8529b089550%40%3Cdev.pulsar.apache.org%3E
security@apache.orghttps://lists.apache.org/thread.html/ra49cb62105154e4795b259c79a6b27d63bfa2ab5787ff8529b089550%40%3Cusers.pulsar.apache.org%3E
security@apache.orghttps://lists.apache.org/thread.html/rbe845aa1573a61769b9c5916c62971f4b10de87c2ea5f38a97f0cf84%40%3Cdev.pulsar.apache.org%3E
security@apache.orghttps://lists.apache.org/thread.html/rca54f4b26ba5e6f2e39732b47ec51640e89f57e3b6a38ac3bab314df%40%3Cdev.pulsar.apache.org%3E
security@apache.orghttps://lists.apache.org/thread.html/rf2e90942996dceebac8296abf39257cfeb5ae918f82f7af3d37a48c5%40%3Cdev.pulsar.apache.org%3E
Impacted products
Apache Software FoundationApache Pulsar
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T18:37:18.090Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r347650d15a3e9c5f58b83e918b6ad6dedc2a63d3eb63da8e6a7be87e%40%3Cusers.pulsar.apache.org%3E"
          },
          {
            "name": "[pulsar-dev] 20210527 Cutting 2.6.4 release to address CVE-2021-22160",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rf2e90942996dceebac8296abf39257cfeb5ae918f82f7af3d37a48c5%40%3Cdev.pulsar.apache.org%3E"
          },
          {
            "name": "[pulsar-dev] 20210527 Re: [SECURITY] [CVE-2021-22160] Authentication with JWT allows use of \"none\"-algorithm",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/ra49cb62105154e4795b259c79a6b27d63bfa2ab5787ff8529b089550%40%3Cdev.pulsar.apache.org%3E"
          },
          {
            "name": "[pulsar-users] 20210527 Re: [SECURITY] [CVE-2021-22160] Authentication with JWT allows use of \"none\"-algorithm",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/ra49cb62105154e4795b259c79a6b27d63bfa2ab5787ff8529b089550%40%3Cusers.pulsar.apache.org%3E"
          },
          {
            "name": "[pulsar-dev] 20210527 Re: Cutting 2.6.4 release to address CVE-2021-22160",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r8e545559781231a83bf0644548c660255859e52feb86bbfcd42590da%40%3Cdev.pulsar.apache.org%3E"
          },
          {
            "name": "Re: [SECURITY] [CVE-2021-22160] Authentication with JWT allows use of \u201cnone\u201d-algorithm",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r9a12b4da2f26ce9b8f7e7117a879efaa973dab7e54717bbc7923fab1%40%3Cdev.pulsar.apache.org%3E"
          },
          {
            "name": "[pulsar-dev] 20210531 Re: [DISCUSS] Propose More Formal Policy for Security Patches and EOL of Versions",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rbe845aa1573a61769b9c5916c62971f4b10de87c2ea5f38a97f0cf84%40%3Cdev.pulsar.apache.org%3E"
          },
          {
            "name": "[pulsar-dev] 20210604 Re: [DISCUSS] Propose More Formal Policy for Security Patches and EOL of Versions",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rca54f4b26ba5e6f2e39732b47ec51640e89f57e3b6a38ac3bab314df%40%3Cdev.pulsar.apache.org%3E"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache Pulsar",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "2.7.1",
              "status": "affected",
              "version": "Apache Pulsar",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "If Apache Pulsar is configured to authenticate clients using tokens based on JSON Web Tokens (JWT), the signature of the token is not validated if the algorithm of the presented token is set to \"none\". This allows an attacker to connect to Pulsar instances as any user (incl. admins)."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "token not validated",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-06-04T20:06:14",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://lists.apache.org/thread.html/r347650d15a3e9c5f58b83e918b6ad6dedc2a63d3eb63da8e6a7be87e%40%3Cusers.pulsar.apache.org%3E"
        },
        {
          "name": "[pulsar-dev] 20210527 Cutting 2.6.4 release to address CVE-2021-22160",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/rf2e90942996dceebac8296abf39257cfeb5ae918f82f7af3d37a48c5%40%3Cdev.pulsar.apache.org%3E"
        },
        {
          "name": "[pulsar-dev] 20210527 Re: [SECURITY] [CVE-2021-22160] Authentication with JWT allows use of \"none\"-algorithm",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/ra49cb62105154e4795b259c79a6b27d63bfa2ab5787ff8529b089550%40%3Cdev.pulsar.apache.org%3E"
        },
        {
          "name": "[pulsar-users] 20210527 Re: [SECURITY] [CVE-2021-22160] Authentication with JWT allows use of \"none\"-algorithm",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/ra49cb62105154e4795b259c79a6b27d63bfa2ab5787ff8529b089550%40%3Cusers.pulsar.apache.org%3E"
        },
        {
          "name": "[pulsar-dev] 20210527 Re: Cutting 2.6.4 release to address CVE-2021-22160",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r8e545559781231a83bf0644548c660255859e52feb86bbfcd42590da%40%3Cdev.pulsar.apache.org%3E"
        },
        {
          "name": "Re: [SECURITY] [CVE-2021-22160] Authentication with JWT allows use of \u201cnone\u201d-algorithm",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r9a12b4da2f26ce9b8f7e7117a879efaa973dab7e54717bbc7923fab1%40%3Cdev.pulsar.apache.org%3E"
        },
        {
          "name": "[pulsar-dev] 20210531 Re: [DISCUSS] Propose More Formal Policy for Security Patches and EOL of Versions",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/rbe845aa1573a61769b9c5916c62971f4b10de87c2ea5f38a97f0cf84%40%3Cdev.pulsar.apache.org%3E"
        },
        {
          "name": "[pulsar-dev] 20210604 Re: [DISCUSS] Propose More Formal Policy for Security Patches and EOL of Versions",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/rca54f4b26ba5e6f2e39732b47ec51640e89f57e3b6a38ac3bab314df%40%3Cdev.pulsar.apache.org%3E"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Authentication with JWT allows use of \u201cnone\u201d-algorithm",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2021-22160",
          "STATE": "PUBLIC",
          "TITLE": "Authentication with JWT allows use of \u201cnone\u201d-algorithm"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache Pulsar",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "Apache Pulsar",
                            "version_value": "2.7.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache Software Foundation"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "If Apache Pulsar is configured to authenticate clients using tokens based on JSON Web Tokens (JWT), the signature of the token is not validated if the algorithm of the presented token is set to \"none\". This allows an attacker to connect to Pulsar instances as any user (incl. admins)."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "token not validated"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://lists.apache.org/thread.html/r347650d15a3e9c5f58b83e918b6ad6dedc2a63d3eb63da8e6a7be87e%40%3Cusers.pulsar.apache.org%3E",
              "refsource": "MISC",
              "url": "https://lists.apache.org/thread.html/r347650d15a3e9c5f58b83e918b6ad6dedc2a63d3eb63da8e6a7be87e%40%3Cusers.pulsar.apache.org%3E"
            },
            {
              "name": "[pulsar-dev] 20210527 Cutting 2.6.4 release to address CVE-2021-22160",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/rf2e90942996dceebac8296abf39257cfeb5ae918f82f7af3d37a48c5@%3Cdev.pulsar.apache.org%3E"
            },
            {
              "name": "[pulsar-dev] 20210527 Re: [SECURITY] [CVE-2021-22160] Authentication with JWT allows use of \"none\"-algorithm",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/ra49cb62105154e4795b259c79a6b27d63bfa2ab5787ff8529b089550@%3Cdev.pulsar.apache.org%3E"
            },
            {
              "name": "[pulsar-users] 20210527 Re: [SECURITY] [CVE-2021-22160] Authentication with JWT allows use of \"none\"-algorithm",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/ra49cb62105154e4795b259c79a6b27d63bfa2ab5787ff8529b089550@%3Cusers.pulsar.apache.org%3E"
            },
            {
              "name": "[pulsar-dev] 20210527 Re: Cutting 2.6.4 release to address CVE-2021-22160",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r8e545559781231a83bf0644548c660255859e52feb86bbfcd42590da@%3Cdev.pulsar.apache.org%3E"
            },
            {
              "name": "Re: [SECURITY] [CVE-2021-22160] Authentication with JWT allows use of \u201cnone\u201d-algorithm",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r9a12b4da2f26ce9b8f7e7117a879efaa973dab7e54717bbc7923fab1%40%3Cdev.pulsar.apache.org%3E"
            },
            {
              "name": "[pulsar-dev] 20210531 Re: [DISCUSS] Propose More Formal Policy for Security Patches and EOL of Versions",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/rbe845aa1573a61769b9c5916c62971f4b10de87c2ea5f38a97f0cf84@%3Cdev.pulsar.apache.org%3E"
            },
            {
              "name": "[pulsar-dev] 20210604 Re: [DISCUSS] Propose More Formal Policy for Security Patches and EOL of Versions",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/rca54f4b26ba5e6f2e39732b47ec51640e89f57e3b6a38ac3bab314df@%3Cdev.pulsar.apache.org%3E"
            }
          ]
        },
        "source": {
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2021-22160",
    "datePublished": "2021-05-26T12:22:31",
    "dateReserved": "2021-01-05T00:00:00",
    "dateUpdated": "2024-08-03T18:37:18.090Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-22160\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2021-05-26T13:15:07.697\",\"lastModified\":\"2023-11-07T03:30:09.680\",\"vulnStatus\":\"Modified\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"If Apache Pulsar is configured to authenticate clients using tokens based on JSON Web Tokens (JWT), the signature of the token is not validated if the algorithm of the presented token is set to \\\"none\\\". This allows an attacker to connect to Pulsar instances as any user (incl. admins).\"},{\"lang\":\"es\",\"value\":\"Si Apache Pulsar est\u00e1 configurado para autenticar clientes utilizando tokens basados ??en JSON Web Tokens (JWT), la firma del token no es comprobada si el algoritmo del token presentado se establece en \\\"none\\\".\u0026#xa0;Esto permite a un atacante conectarse a las instancias de Pulsar como cualquier usuario (incluidos los administradores)\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\",\"baseScore\":7.5},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-347\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.7.1\",\"matchCriteriaId\":\"A97EC45B-CE27-4BD1-9615-E71D4FD76A0C\"}]}]}],\"references\":[{\"url\":\"https://lists.apache.org/thread.html/r347650d15a3e9c5f58b83e918b6ad6dedc2a63d3eb63da8e6a7be87e%40%3Cusers.pulsar.apache.org%3E\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]},{\"url\":\"https://lists.apache.org/thread.html/r8e545559781231a83bf0644548c660255859e52feb86bbfcd42590da%40%3Cdev.pulsar.apache.org%3E\",\"source\":\"security@apache.org\"},{\"url\":\"https://lists.apache.org/thread.html/r9a12b4da2f26ce9b8f7e7117a879efaa973dab7e54717bbc7923fab1%40%3Cdev.pulsar.apache.org%3E\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]},{\"url\":\"https://lists.apache.org/thread.html/ra49cb62105154e4795b259c79a6b27d63bfa2ab5787ff8529b089550%40%3Cdev.pulsar.apache.org%3E\",\"source\":\"security@apache.org\"},{\"url\":\"https://lists.apache.org/thread.html/ra49cb62105154e4795b259c79a6b27d63bfa2ab5787ff8529b089550%40%3Cusers.pulsar.apache.org%3E\",\"source\":\"security@apache.org\"},{\"url\":\"https://lists.apache.org/thread.html/rbe845aa1573a61769b9c5916c62971f4b10de87c2ea5f38a97f0cf84%40%3Cdev.pulsar.apache.org%3E\",\"source\":\"security@apache.org\"},{\"url\":\"https://lists.apache.org/thread.html/rca54f4b26ba5e6f2e39732b47ec51640e89f57e3b6a38ac3bab314df%40%3Cdev.pulsar.apache.org%3E\",\"source\":\"security@apache.org\"},{\"url\":\"https://lists.apache.org/thread.html/rf2e90942996dceebac8296abf39257cfeb5ae918f82f7af3d37a48c5%40%3Cdev.pulsar.apache.org%3E\",\"source\":\"security@apache.org\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.