CVE-2021-22160
- Source
- https://cve.org/CVERecord?id=CVE-2021-22160
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-22160.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2021-22160
- Aliases
- Published
- 2021-05-26T13:15:07.697Z
- Modified
- 2026-04-02T06:49:12.568139Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
If Apache Pulsar is configured to authenticate clients using tokens based on JSON Web Tokens (JWT), the signature of the token is not validated if the algorithm of the presented token is set to "none". This allows an attacker to connect to Pulsar instances as any user (incl. admins).
- References
-
- https://lists.apache.org/thread.html/rbe845aa1573a61769b9c5916c62971f4b10de87c2ea5f38a97f0cf84%40%3Cdev.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/rca54f4b26ba5e6f2e39732b47ec51640e89f57e3b6a38ac3bab314df%40%3Cdev.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/rf2e90942996dceebac8296abf39257cfeb5ae918f82f7af3d37a48c5%40%3Cdev.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/r8e545559781231a83bf0644548c660255859e52feb86bbfcd42590da%40%3Cdev.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/ra49cb62105154e4795b259c79a6b27d63bfa2ab5787ff8529b089550%40%3Cdev.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/ra49cb62105154e4795b259c79a6b27d63bfa2ab5787ff8529b089550%40%3Cusers.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/r347650d15a3e9c5f58b83e918b6ad6dedc2a63d3eb63da8e6a7be87e%40%3Cusers.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/r9a12b4da2f26ce9b8f7e7117a879efaa973dab7e54717bbc7923fab1%40%3Cdev.pulsar.apache.org%3E
Affected packages
Git / github.com/apache/pulsar
Affected versions
v1.*
v1.14
v1.15
v1.15.1
v1.15.2
v1.15.3
v1.15.4
v1.15.5
v1.15.6
v1.15.7
v1.16
v1.16.1
v1.16.2
v1.16.3
v1.16.4
v1.16.5
v1.17
v1.17.1
v1.17.2
v1.17.3
v1.17.4
v1.17.5
v1.18
v1.19.0-incubating
v1.19.0-incubating-candidate-0
v1.20.0-incubating
v1.20.0-incubating-candidate-0
v1.21.0-incubating
v1.21.0-incubating-candidate-0
v1.21.0-incubating-candidate-1
v1.21.0-incubating-candidate-2
v1.21.0-incubating-candidate-3
v1.22.0-incubating
v1.22.0-incubating-candidate-0
v1.22.0-incubating-candidate-1
v1.22.0-incubating-candidate-2
v1.22.0-incubating-candidate-3
v1.22.1-incubating
v1.22.1-incubating-candidate-1
v1.22.1-incubating-candidate-2
v2.*
v2.0.0-rc1-incubating
v2.0.0-rc1-incubating-candidate-1
v2.0.0-rc1-incubating-candidate-2
v2.0.0-rc1-incubating-candidate-3
v2.0.0-rc1-incubating-candidate-4
v2.0.0-rc1-incubating-candidate-5
v2.0.1-incubating
v2.0.1-incubating-candidate-1
v2.0.1-incubating-candidate-2
v2.1.0-incubating
v2.1.0-incubating-candidate-1
v2.1.0-incubating-candidate-2
v2.1.0-incubating-candidate-3
v2.1.0-incubating-candidate-4
v2.1.0-incubating-candidate-5
v2.1.1-incubating
v2.1.1-incubating-candidate-1
v2.10.0
v2.10.0-candidate-1
v2.10.0-candidate-2
v2.10.0-candidate-3
v2.10.0-candidate-4
v2.10.0-candidate-5
v2.10.1
v2.10.1-candidate-1
v2.10.2
v2.10.2-candidate-1
v2.10.2-candidate-2
v2.10.2-candidate-3
v2.10.3
v2.10.3-candidate-1
v2.10.4
v2.10.4-candidate-1
v2.10.4-candidate-2
v2.10.4-candidate-3
v2.10.4-candidate-4
v2.10.5
v2.10.5-candidate-1
v2.10.5.3
v2.10.6
v2.10.6-candidate-1
v2.10.6-candidate-2
v2.11.0
v2.11.0-candidate-1
v2.11.0-candidate-2
v2.11.0-candidate-3
v2.11.0-candidate-4
v2.11.0-candidate-5
v2.11.1
v2.11.1-candidate-2
v2.11.2
v2.11.2-candidate-1
v2.11.3
v2.11.3-candidate-1
v2.11.3-candidate-2
v2.11.4
v2.11.4-candidate-1
v2.2.0
v2.2.0-candidate-1
v2.2.0-candidate-2
v2.2.1
v2.2.1-candidate-1
v2.2.1-candidate-2
v2.3.0
v2.3.0-candidate-1
v2.3.1
v2.3.1-candidate-1
v2.3.1-candidate-2
v2.3.2
v2.3.2-candidate-1
v2.4.0
v2.4.0-candidate-1
v2.4.0-candidate-2
v2.4.1
v2.4.1-candidate-1
v2.4.2
v2.4.2-candidate-1
v2.4.2-candidate-2
v2.4.2-candidate-3
v2.5.0
v2.5.0-candidate-1
v2.5.0-candidate-2
v2.5.1
v2.5.1-candidate-1
v2.5.1-candidate-2
v2.5.1-candidate-3
v2.5.1-candidate-4
v2.5.2
v2.5.2-candidate-1
v2.6.0
v2.6.0-candidate-1
v2.6.1
v2.6.1-candidate-1
v2.6.2
v2.6.2-candidate-1
v2.6.2-candidate-2
v2.6.3
v2.6.3-candidate-1
v2.6.3-candidate-2
v2.6.4
v2.6.4-candidate-1
v2.7.0
v2.7.0-candidate-1
v2.7.0-candidate-2
v2.8.0
v2.8.0-candidate-1
v2.8.0-candidate-2
v2.8.0-candidate-3
v2.8.1
v2.8.1-candidate-1
v2.8.1-candidate-2
v2.8.1-candidate-3
v2.8.2
v2.8.2-candidate-1
v2.8.2-candidate-2
v2.8.3
v2.8.3-candidate-1
v2.8.3-candidate-2
v2.8.3-candidate-3
v2.8.3-candidate-4
v2.8.4
v2.8.4-candidate-1
v2.9.0
v2.9.0-candidate-1
v2.9.0-candidate-2
v2.9.0-candidate-3
v2.9.0-candidate-4
v2.9.1
v2.9.1-candidate-1
v2.9.1-candidate-2
v2.9.2
v2.9.2-candidate-1
v2.9.2-candidate-2
v2.9.2-candidate-3
v2.9.2-candidate-4
v2.9.3
v2.9.3-candidate-1
v2.9.3-candidate-2
v2.9.4
v2.9.4-candidate-1
v2.9.4-candidate-2
v2.9.4-candidate-3
v2.9.5
v2.9.5-candidate-1
v2.9.5-candidate-2
v2.9.5-candidate-3
v3.*
v3.0.0
v3.0.0-candidate-1
v3.0.0-candidate-2
v3.0.0-candidate-3
v3.0.0-candidate-4
v3.0.1
v3.0.1-candidate-1
v3.0.1-candidate-2
v3.0.10
v3.0.10-candidate-1
v3.0.11
v3.0.11-candidate-1
v3.0.12
v3.0.12-candidate-1
v3.0.13
v3.0.13-candidate-1
v3.0.14
v3.0.14-candidate-1
v3.0.15
v3.0.15-candidate-1
v3.0.16
v3.0.16-candidate-1
v3.0.2
v3.0.2-candidate-1
v3.0.2-candidate-2
v3.0.2-candidate-3
v3.0.2-candidate-4
v3.0.3
v3.0.3-candidate-1
v3.0.3-candidate-2
v3.0.4
v3.0.4-candidate-1
v3.0.5
v3.0.5-candidate-1
v3.0.6
v3.0.6-candidate-1
v3.0.7
v3.0.7-candidate-1
v3.0.8
v3.0.8-candidate-1
v3.0.8-candidate-2
v3.0.9
v3.0.9-candidate-1
v3.0.9-candidate-2
v3.1.0
v3.1.0-candidate-1
v3.1.1
v3.1.1-candidate-1
v3.1.2
v3.1.2-candidate-1
v3.1.2-candidate-2
v3.1.3
v3.1.3-candidate-1
v3.1.3-candidate-2
v3.2.0
v3.2.0-candidate-1
v3.2.0-candidate-2
v3.2.0-candidate-3
v3.2.0-candidate-4
v3.2.0-candidate-5
v3.2.1
v3.2.1-candidate-1
v3.2.1-candidate-2
v3.2.2
v3.2.2-candidate-1
v3.2.3
v3.2.3-candidate-1
v3.2.4
v3.2.4-candidate-1
v3.3.0
v3.3.0-candidate-1
v3.3.0-candidate-2
v3.3.0-candidate-3
v3.3.0-candidate-4
v3.3.1
v3.3.1-candidate-1
v3.3.2
v3.3.2-candidate-1
v3.3.3
v3.3.3-candidate-1
v3.3.3-candidate-2
v3.3.4
v3.3.4-candidate-1
v3.3.4-candidate-2
v3.3.5
v3.3.5-candidate-1
v3.3.5-candidate-2
v3.3.6
v3.3.6-candidate-1
v3.3.7
v3.3.7-candidate-1
v3.3.8
v3.3.8-candidate-1
v3.3.9
v3.3.9-candidate-1
v4.*
v4.0.0
v4.0.0-candidate-1
v4.0.0-preview.1
v4.0.1
v4.0.1-candidate-1
v4.0.1-candidate-2
v4.0.2
v4.0.2-candidate-1
v4.0.2-candidate-2
v4.0.2-candidate-3
v4.0.3
v4.0.3-candidate-1
v4.0.3-candidate-2
v4.0.4
v4.0.4-candidate-1
v4.0.5
v4.0.5-candidate-1
v4.0.6
v4.0.6-candidate-1
v4.0.7
v4.0.7-candidate-1
v4.0.8
v4.0.8-candidate-1
v4.0.9
v4.0.9-candidate-1
v4.0.9-candidate-2
v4.1.0
v4.1.0-candidate-1
v4.1.1
v4.1.1-candidate-1
v4.1.2
v4.1.2-candidate-1
v4.1.3
v4.1.3-candidate-1
v4.1.3-candidate-2
v4.2.0
v4.2.0-candidate-1
vx.*
vx.y.z.m
Database specific
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-22160.json"
vanir_signatures
[
{
"deprecated": false,
"signature_type": "Line",
"signature_version": "v1",
"digest": {
"line_hashes": [
"13343199906080567355327046263291242934",
"66443402438450600842721076828010474548",
"231279283207357356727874610342899311949",
"319498916956910338582968687226893981171",
"161403434769859326127501472497639239686",
"29894245584646026771238015833992197731",
"20442382929230193370094299352671175240",
"167926599160935949217555517312324160979",
"3969021539140368944541891706454272987",
"32587283295654531882861333521281228287",
"91004435481515443419193846513854177066",
"69298087081940564135547239642271029440"
],
"threshold": 0.9
},
"source": "https://github.com/apache/pulsar/commit/8ea4a39dc8bf6f2f23a160688bb70a80f6acfd4d",
"id": "CVE-2021-22160-9d55e6b8",
"target": {
"file": "pulsar-testclient/src/main/java/org/apache/pulsar/testclient/PerformanceReader.java"
}
},
{
"deprecated": false,
"signature_type": "Line",
"signature_version": "v1",
"digest": {
"line_hashes": [
"150554070558514417499956772130572421084",
"81042947091868430478375905312460657708",
"140350643460818546930569698686457987620",
"279993339217558671080547213639038139241",
"40438349506969206266022438885598088638",
"240994273641353270766900138467430074642",
"249848150602551863629820195559969178095",
"114388734559731466913840283470842103890",
"74137028872922559046397328053230494802",
"309510348649781237790210797233191939204",
"60088706953419712955287304226395659447",
"312086726970542322389975788197909794936",
"185219985881079343288820327755166799525",
"259996328910508419014349793547476559231",
"266746878558385270347398079658570055549",
"108116574961733143123286744424636111941"
],
"threshold": 0.9
},
"source": "https://github.com/apache/pulsar/commit/8ea4a39dc8bf6f2f23a160688bb70a80f6acfd4d",
"id": "CVE-2021-22160-b0d10d38",
"target": {
"file": "pulsar-testclient/src/main/java/org/apache/pulsar/testclient/PerformanceProducer.java"
}
},
{
"deprecated": false,
"signature_type": "Function",
"signature_version": "v1",
"digest": {
"function_hash": "249431010052407684037984679800576826944",
"length": 4617.0
},
"source": "https://github.com/apache/pulsar/commit/8ea4a39dc8bf6f2f23a160688bb70a80f6acfd4d",
"id": "CVE-2021-22160-c057f869",
"target": {
"file": "pulsar-testclient/src/main/java/org/apache/pulsar/testclient/PerformanceProducer.java",
"function": "runProducer"
}
},
{
"deprecated": false,
"signature_type": "Function",
"signature_version": "v1",
"digest": {
"function_hash": "62367699578856898966262814562137860027",
"length": 4756.0
},
"source": "https://github.com/apache/pulsar/commit/8ea4a39dc8bf6f2f23a160688bb70a80f6acfd4d",
"id": "CVE-2021-22160-d30c2619",
"target": {
"file": "pulsar-testclient/src/main/java/org/apache/pulsar/testclient/PerformanceProducer.java",
"function": "main"
}
},
{
"deprecated": false,
"signature_type": "Function",
"signature_version": "v1",
"digest": {
"function_hash": "15371671768062587689777100981307781840",
"length": 4218.0
},
"source": "https://github.com/apache/pulsar/commit/8ea4a39dc8bf6f2f23a160688bb70a80f6acfd4d",
"id": "CVE-2021-22160-d4e8e7a1",
"target": {
"file": "pulsar-testclient/src/main/java/org/apache/pulsar/testclient/PerformanceReader.java",
"function": "main"
}
},
{
"deprecated": false,
"signature_type": "Function",
"signature_version": "v1",
"digest": {
"function_hash": "29076506231259417791862277699844051517",
"length": 6038.0
},
"source": "https://github.com/apache/pulsar/commit/8ea4a39dc8bf6f2f23a160688bb70a80f6acfd4d",
"id": "CVE-2021-22160-e989523d",
"target": {
"file": "pulsar-testclient/src/main/java/org/apache/pulsar/testclient/PerformanceConsumer.java",
"function": "main"
}
},
{
"deprecated": false,
"signature_type": "Line",
"signature_version": "v1",
"digest": {
"line_hashes": [
"315918296561430778916718972487219294649",
"236301574266727452171691663271182076761",
"237305433814635667659651757466474577476",
"223759838967229225484273235207262355537",
"81042947091868430478375905312460657708",
"275354419579663574289624967921884521025",
"88879754337558222814257817102398965015",
"99620886970130100127893055623001985153",
"16888286943903229450237419816097041717",
"314199319330254619764114873430769389974",
"78867072627398220191836105956372158914",
"77393872620636578277768582351777811010",
"275457768371539411531594597907303990919",
"334721492597947173929929384799452976066",
"235066225110637489107047316112436632736",
"98953343897439567751173346723823829495",
"114347808297405791040474398163864695103",
"68994151577055578642250155515644859371",
"16528778188835593952030166723637544595",
"13343199906080567355327046263291242934",
"66443402438450600842721076828010474548",
"231279283207357356727874610342899311949",
"319498916956910338582968687226893981171",
"161403434769859326127501472497639239686",
"9733443401807425837851043682533763066",
"129685832149756618264133011094920751173",
"42811405211365748759370495089269623473",
"26872803419165006319125029196579316801",
"164348516587721373112249114098074074953",
"116414870759134509870908163383766879700",
"35491249226478996719171029256320664681",
"153139514857107773255106204980649731012",
"30676756902993079196605015995507659803",
"214976953048886551257514815378931403938",
"195259773245634568045234530645266735062",
"153788273095748771715142521791053910035",
"239731443409064388104952037709017178992",
"291349518556519671078601533077628955597",
"269675594130957149545570109543580147008",
"87854289094761442204014122964086550524",
"76071528124864795723281629551971562846",
"17854354127732058366973442221069089543",
"132085671190099972570594515965622145285",
"160648024490430223525812054160939074940"
],
"threshold": 0.9
},
"source": "https://github.com/apache/pulsar/commit/8ea4a39dc8bf6f2f23a160688bb70a80f6acfd4d",
"id": "CVE-2021-22160-f2c25eb6",
"target": {
"file": "pulsar-testclient/src/main/java/org/apache/pulsar/testclient/PerformanceConsumer.java"
}
}
]