GHSA-3cv4-xxv7-934q

Source

https://github.com/advisories/GHSA-3cv4-xxv7-934q

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-3cv4-xxv7-934q/GHSA-3cv4-xxv7-934q.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-3cv4-xxv7-934q

Aliases

CVE-2021-22160

Published

2021-06-01T21:53:49Z

Modified

2023-11-08T04:04:54.864716Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Improper Verification of Cryptographic Signature in Apache Pulsar in TensorFlow

Details

If Apache Pulsar is configured to authenticate clients using tokens based on JSON Web Tokens (JWT), the signature of the token is not validated if the algorithm of the presented token is set to "none". This allows an attacker to connect to Pulsar instances as any user (incl. admins).

Database specific

{
    "nvd_published_at": "2021-05-26T13:15:00Z",
    "github_reviewed_at": "2021-06-01T20:20:10Z",
    "severity": "CRITICAL",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-347"
    ]
}

References

Affected packages

Maven / org.apache.pulsar:pulsar

Package

Name: org.apache.pulsar:pulsar; View open source insights on deps.dev
Purl: pkg:maven/org.apache.pulsar/pulsar

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.7.2

Affected versions

1.*

1.19.0-incubating

1.20.0-incubating

1.21.0-incubating

1.22.0-incubating

1.22.1-incubating

2.*

2.0.0-rc1-incubating

2.0.1-incubating

2.1.0-incubating

2.1.1-incubating

2.2.0

2.2.1

2.3.0

2.3.1

2.3.2

2.4.0

2.4.1

2.4.2

2.5.0

2.5.1

2.5.2

2.6.0

2.6.1

2.6.2

2.6.3

2.6.4

2.7.0

2.7.1