mirror of
https://github.com/CVEProject/cvelist.git
synced 2025-08-04 08:44:25 +00:00
106 lines
4.7 KiB
JSON
106 lines
4.7 KiB
JSON
{
|
|
"CVE_data_meta": {
|
|
"ASSIGNER": "security@apache.org",
|
|
"ID": "CVE-2021-22160",
|
|
"STATE": "PUBLIC",
|
|
"TITLE": "Authentication with JWT allows use of \u201cnone\u201d-algorithm"
|
|
},
|
|
"affects": {
|
|
"vendor": {
|
|
"vendor_data": [
|
|
{
|
|
"product": {
|
|
"product_data": [
|
|
{
|
|
"product_name": "Apache Pulsar",
|
|
"version": {
|
|
"version_data": [
|
|
{
|
|
"version_affected": "<",
|
|
"version_name": "Apache Pulsar",
|
|
"version_value": "2.7.1"
|
|
}
|
|
]
|
|
}
|
|
}
|
|
]
|
|
},
|
|
"vendor_name": "Apache Software Foundation"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"data_format": "MITRE",
|
|
"data_type": "CVE",
|
|
"data_version": "4.0",
|
|
"description": {
|
|
"description_data": [
|
|
{
|
|
"lang": "eng",
|
|
"value": "If Apache Pulsar is configured to authenticate clients using tokens based on JSON Web Tokens (JWT), the signature of the token is not validated if the algorithm of the presented token is set to \"none\". This allows an attacker to connect to Pulsar instances as any user (incl. admins)."
|
|
}
|
|
]
|
|
},
|
|
"generator": {
|
|
"engine": "Vulnogram 0.0.9"
|
|
},
|
|
"problemtype": {
|
|
"problemtype_data": [
|
|
{
|
|
"description": [
|
|
{
|
|
"lang": "eng",
|
|
"value": "token not validated"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
},
|
|
"references": {
|
|
"reference_data": [
|
|
{
|
|
"refsource": "MISC",
|
|
"url": "https://lists.apache.org/thread.html/r347650d15a3e9c5f58b83e918b6ad6dedc2a63d3eb63da8e6a7be87e%40%3Cusers.pulsar.apache.org%3E",
|
|
"name": "https://lists.apache.org/thread.html/r347650d15a3e9c5f58b83e918b6ad6dedc2a63d3eb63da8e6a7be87e%40%3Cusers.pulsar.apache.org%3E"
|
|
},
|
|
{
|
|
"refsource": "MLIST",
|
|
"name": "[pulsar-dev] 20210527 Cutting 2.6.4 release to address CVE-2021-22160",
|
|
"url": "https://lists.apache.org/thread.html/rf2e90942996dceebac8296abf39257cfeb5ae918f82f7af3d37a48c5@%3Cdev.pulsar.apache.org%3E"
|
|
},
|
|
{
|
|
"refsource": "MLIST",
|
|
"name": "[pulsar-dev] 20210527 Re: [SECURITY] [CVE-2021-22160] Authentication with JWT allows use of \"none\"-algorithm",
|
|
"url": "https://lists.apache.org/thread.html/ra49cb62105154e4795b259c79a6b27d63bfa2ab5787ff8529b089550@%3Cdev.pulsar.apache.org%3E"
|
|
},
|
|
{
|
|
"refsource": "MLIST",
|
|
"name": "[pulsar-users] 20210527 Re: [SECURITY] [CVE-2021-22160] Authentication with JWT allows use of \"none\"-algorithm",
|
|
"url": "https://lists.apache.org/thread.html/ra49cb62105154e4795b259c79a6b27d63bfa2ab5787ff8529b089550@%3Cusers.pulsar.apache.org%3E"
|
|
},
|
|
{
|
|
"refsource": "MLIST",
|
|
"name": "[pulsar-dev] 20210527 Re: Cutting 2.6.4 release to address CVE-2021-22160",
|
|
"url": "https://lists.apache.org/thread.html/r8e545559781231a83bf0644548c660255859e52feb86bbfcd42590da@%3Cdev.pulsar.apache.org%3E"
|
|
},
|
|
{
|
|
"refsource": "MLIST",
|
|
"name": "Re: [SECURITY] [CVE-2021-22160] Authentication with JWT allows use of \u201cnone\u201d-algorithm",
|
|
"url": "https://lists.apache.org/thread.html/r9a12b4da2f26ce9b8f7e7117a879efaa973dab7e54717bbc7923fab1%40%3Cdev.pulsar.apache.org%3E"
|
|
},
|
|
{
|
|
"refsource": "MLIST",
|
|
"name": "[pulsar-dev] 20210531 Re: [DISCUSS] Propose More Formal Policy for Security Patches and EOL of Versions",
|
|
"url": "https://lists.apache.org/thread.html/rbe845aa1573a61769b9c5916c62971f4b10de87c2ea5f38a97f0cf84@%3Cdev.pulsar.apache.org%3E"
|
|
},
|
|
{
|
|
"refsource": "MLIST",
|
|
"name": "[pulsar-dev] 20210604 Re: [DISCUSS] Propose More Formal Policy for Security Patches and EOL of Versions",
|
|
"url": "https://lists.apache.org/thread.html/rca54f4b26ba5e6f2e39732b47ec51640e89f57e3b6a38ac3bab314df@%3Cdev.pulsar.apache.org%3E"
|
|
}
|
|
]
|
|
},
|
|
"source": {
|
|
"discovery": "UNKNOWN"
|
|
}
|
|
} |