|
|
|||
| Rule General Information |
|---|
| Release Date: | 2021-07-13 | |
| Rule Name: | Apache Pulsar JSON Web Token Authentication Bypass Vulnerability (CVE-2021-22160) | |
| Severity: | ||
| CVE ID: | ||
| Rule Protection Details |
|---|
| Description: | Apache Pulsar is a distributed message stream platform for a USA Foundation for a cloud environment, set message, storage, and lightweight function. The software supports multi-tenant, persistent storage, multi-machine room cross-region data replication, high-scalable stream data storage characteristics with strong consistency, high throughput, and low delay. If Apache Pulsar is configured to authenticate clients using tokens based on JSON Web Tokens (JWT), the signature of the token is not validated if the algorithm of the presented token is set to "none". This allows an attacker to connect to Pulsar instances as any user (incl. admins). The following products and versions are affected: Apache Pulsar:1.14, 1.15, 1.15.1, 1.15.2, 1.15.3, 1.15.4, 1.15.5, 1.15.6, 1.15.7, 1.16, 1.16.1, 1.16.2, 1.16.3, 1.16.4, 1.16.5, 1.17, 1.17.1, 1.17.2, 1.17.3, 1.17.4, 1.17.5, 1.18, 2.2.0, 2.2.1, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.4.2, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.7.0 | |
| Impact: | An attacker can abtain more privileges which he is not entitled to by exloiting the vulnerability, such as executing arbitrary code, deleting files, viewing sensitive information, changing configurations. | |
| Affected OS: | Windows, Linux, Others | |
| Reference: | https://lists.apache.org/thread.html/r347650d15a3e9c5f58b83e918b6ad6dedc2a63d3eb63da8e6a7be87e%40%3Cusers.pulsar.apache.org%3E https://lists.apache.org/thread.html/r8e545559781231a83bf0644548c660255859e52feb86bbfcd42590da@%3Cdev.pulsar.apache.org%3E https://lists.apache.org/thread.html/r9a12b4da2f26ce9b8f7e7117a879efaa973dab7e54717bbc7923fab1%40%3Cdev.pulsar.apache.org%3E https://lists.apache.org/thread.html/ra49cb62105154e4795b259c79a6b27d63bfa2ab5787ff8529b089550@%3Cdev.pulsar.apache.org%3E |
|
| Solutions |
|---|
| The vendors have released upgrade patches to fix vulnerabilities, please visit: https://www.cybersecurity-help.cz/vdb/SB2021052540 |