CVE-2021-22160 is a vulnerability in Apache Plusar
Published on May 26, 2021
Authentication with JWT allows use of “none”-algorithm
If Apache Pulsar is configured to authenticate clients using tokens based on JSON Web Tokens (JWT), the signature of the token is not validated if the algorithm of the presented token is set to "none". This allows an attacker to connect to Pulsar instances as any user (incl. admins).
Products Associated with CVE-2021-22160
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2021-22160 are published in Apache Plusar:
Affected Versions
Apache Software Foundation Apache Pulsar:- Version Apache Pulsar and below 2.7.1 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.