CVE-2021-22160
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2021-22160
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-22160.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2021-22160
- Aliases
- Published
- 2021-05-26T13:15:07.697Z
- Modified
- 2025-11-20T11:33:43.607238Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
If Apache Pulsar is configured to authenticate clients using tokens based on JSON Web Tokens (JWT), the signature of the token is not validated if the algorithm of the presented token is set to "none". This allows an attacker to connect to Pulsar instances as any user (incl. admins).
- References
-
- https://lists.apache.org/thread.html/r8e545559781231a83bf0644548c660255859e52feb86bbfcd42590da%40%3Cdev.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/ra49cb62105154e4795b259c79a6b27d63bfa2ab5787ff8529b089550%40%3Cdev.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/ra49cb62105154e4795b259c79a6b27d63bfa2ab5787ff8529b089550%40%3Cusers.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/rbe845aa1573a61769b9c5916c62971f4b10de87c2ea5f38a97f0cf84%40%3Cdev.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/rca54f4b26ba5e6f2e39732b47ec51640e89f57e3b6a38ac3bab314df%40%3Cdev.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/rf2e90942996dceebac8296abf39257cfeb5ae918f82f7af3d37a48c5%40%3Cdev.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/r347650d15a3e9c5f58b83e918b6ad6dedc2a63d3eb63da8e6a7be87e%40%3Cusers.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/r9a12b4da2f26ce9b8f7e7117a879efaa973dab7e54717bbc7923fab1%40%3Cdev.pulsar.apache.org%3E
Affected packages
Git / github.com/apache/pulsar
Affected ranges
- Type
- GIT
- Repo
- https://github.com/apache/pulsar
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
v1.*
v1.14
v1.15
v1.16
v1.17
v1.18
v2.*
v2.7.0
v2.7.0-candidate-1
v2.7.0-candidate-2
Database specific
vanir_signatures
[
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"13343199906080567355327046263291242934",
"66443402438450600842721076828010474548",
"231279283207357356727874610342899311949",
"319498916956910338582968687226893981171",
"161403434769859326127501472497639239686",
"29894245584646026771238015833992197731",
"20442382929230193370094299352671175240",
"167926599160935949217555517312324160979",
"3969021539140368944541891706454272987",
"32587283295654531882861333521281228287",
"91004435481515443419193846513854177066",
"69298087081940564135547239642271029440"
]
},
"id": "CVE-2021-22160-9d55e6b8",
"source": "https://github.com/apache/pulsar/commit/8ea4a39dc8bf6f2f23a160688bb70a80f6acfd4d",
"signature_type": "Line",
"target": {
"file": "pulsar-testclient/src/main/java/org/apache/pulsar/testclient/PerformanceReader.java"
},
"signature_version": "v1",
"deprecated": false
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"150554070558514417499956772130572421084",
"81042947091868430478375905312460657708",
"140350643460818546930569698686457987620",
"279993339217558671080547213639038139241",
"40438349506969206266022438885598088638",
"240994273641353270766900138467430074642",
"249848150602551863629820195559969178095",
"114388734559731466913840283470842103890",
"74137028872922559046397328053230494802",
"309510348649781237790210797233191939204",
"60088706953419712955287304226395659447",
"312086726970542322389975788197909794936",
"185219985881079343288820327755166799525",
"259996328910508419014349793547476559231",
"266746878558385270347398079658570055549",
"108116574961733143123286744424636111941"
]
},
"id": "CVE-2021-22160-b0d10d38",
"source": "https://github.com/apache/pulsar/commit/8ea4a39dc8bf6f2f23a160688bb70a80f6acfd4d",
"signature_type": "Line",
"target": {
"file": "pulsar-testclient/src/main/java/org/apache/pulsar/testclient/PerformanceProducer.java"
},
"signature_version": "v1",
"deprecated": false
},
{
"digest": {
"length": 4617.0,
"function_hash": "249431010052407684037984679800576826944"
},
"id": "CVE-2021-22160-c057f869",
"source": "https://github.com/apache/pulsar/commit/8ea4a39dc8bf6f2f23a160688bb70a80f6acfd4d",
"signature_type": "Function",
"target": {
"file": "pulsar-testclient/src/main/java/org/apache/pulsar/testclient/PerformanceProducer.java",
"function": "runProducer"
},
"signature_version": "v1",
"deprecated": false
},
{
"digest": {
"length": 4756.0,
"function_hash": "62367699578856898966262814562137860027"
},
"id": "CVE-2021-22160-d30c2619",
"source": "https://github.com/apache/pulsar/commit/8ea4a39dc8bf6f2f23a160688bb70a80f6acfd4d",
"signature_type": "Function",
"target": {
"file": "pulsar-testclient/src/main/java/org/apache/pulsar/testclient/PerformanceProducer.java",
"function": "main"
},
"signature_version": "v1",
"deprecated": false
},
{
"digest": {
"length": 4218.0,
"function_hash": "15371671768062587689777100981307781840"
},
"id": "CVE-2021-22160-d4e8e7a1",
"source": "https://github.com/apache/pulsar/commit/8ea4a39dc8bf6f2f23a160688bb70a80f6acfd4d",
"signature_type": "Function",
"target": {
"file": "pulsar-testclient/src/main/java/org/apache/pulsar/testclient/PerformanceReader.java",
"function": "main"
},
"signature_version": "v1",
"deprecated": false
},
{
"digest": {
"length": 6038.0,
"function_hash": "29076506231259417791862277699844051517"
},
"id": "CVE-2021-22160-e989523d",
"source": "https://github.com/apache/pulsar/commit/8ea4a39dc8bf6f2f23a160688bb70a80f6acfd4d",
"signature_type": "Function",
"target": {
"file": "pulsar-testclient/src/main/java/org/apache/pulsar/testclient/PerformanceConsumer.java",
"function": "main"
},
"signature_version": "v1",
"deprecated": false
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"315918296561430778916718972487219294649",
"236301574266727452171691663271182076761",
"237305433814635667659651757466474577476",
"223759838967229225484273235207262355537",
"81042947091868430478375905312460657708",
"275354419579663574289624967921884521025",
"88879754337558222814257817102398965015",
"99620886970130100127893055623001985153",
"16888286943903229450237419816097041717",
"314199319330254619764114873430769389974",
"78867072627398220191836105956372158914",
"77393872620636578277768582351777811010",
"275457768371539411531594597907303990919",
"334721492597947173929929384799452976066",
"235066225110637489107047316112436632736",
"98953343897439567751173346723823829495",
"114347808297405791040474398163864695103",
"68994151577055578642250155515644859371",
"16528778188835593952030166723637544595",
"13343199906080567355327046263291242934",
"66443402438450600842721076828010474548",
"231279283207357356727874610342899311949",
"319498916956910338582968687226893981171",
"161403434769859326127501472497639239686",
"9733443401807425837851043682533763066",
"129685832149756618264133011094920751173",
"42811405211365748759370495089269623473",
"26872803419165006319125029196579316801",
"164348516587721373112249114098074074953",
"116414870759134509870908163383766879700",
"35491249226478996719171029256320664681",
"153139514857107773255106204980649731012",
"30676756902993079196605015995507659803",
"214976953048886551257514815378931403938",
"195259773245634568045234530645266735062",
"153788273095748771715142521791053910035",
"239731443409064388104952037709017178992",
"291349518556519671078601533077628955597",
"269675594130957149545570109543580147008",
"87854289094761442204014122964086550524",
"76071528124864795723281629551971562846",
"17854354127732058366973442221069089543",
"132085671190099972570594515965622145285",
"160648024490430223525812054160939074940"
]
},
"id": "CVE-2021-22160-f2c25eb6",
"source": "https://github.com/apache/pulsar/commit/8ea4a39dc8bf6f2f23a160688bb70a80f6acfd4d",
"signature_type": "Line",
"target": {
"file": "pulsar-testclient/src/main/java/org/apache/pulsar/testclient/PerformanceConsumer.java"
},
"signature_version": "v1",
"deprecated": false
}
]
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-22160.json"