CVE-2021-22160
Improper Verification of Cryptographic Signature in Apache Pulsar in TensorFlow
9.8
CRITICAL
CVSS 3.1
EPSS 18.5%
Description
If Apache Pulsar is configured to authenticate clients using tokens based on JSON Web Tokens (JWT), the signature of the token is not validated if the algorithm of the presented token is set to "none". This allows an attacker to connect to Pulsar instances as any user (incl. admins).
How to fix CVE-2021-22160
To remediate CVE-2021-22160, upgrade the affected package to a fixed version below.
- —upgrade to 2.7.2 or later
Is CVE-2021-22160 being exploited?
Moderate — EPSS is 18.5%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (1)
- from 0, < 2.7.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References (13)
- ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-22160
- WEBgithub.com/apache/pulsar/releases/tag/v2.7.2
- WEBlists.apache.org/thread.html/r08c7df60cae031361df7fbac39d08b6d5b5079e74db5195d409db9a2@%3Cdev.pulsar.apache.org%3E
- WEBlists.apache.org/thread.html/r347650d15a3e9c5f58b83e918b6ad6dedc2a63d3eb63da8e6a7be87e%40%3Cusers.pulsar.apache.org%3E