{"id":"CVE-2021-22160","details":"If Apache Pulsar is configured to authenticate clients using tokens based on JSON Web Tokens (JWT), the signature of the token is not validated if the algorithm of the presented token is set to \"none\". This allows an attacker to connect to Pulsar instances as any user (incl. admins).","aliases":["GHSA-3cv4-xxv7-934q"],"modified":"2026-04-11T23:34:04.071411Z","published":"2021-05-26T13:15:07.697Z","references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/rbe845aa1573a61769b9c5916c62971f4b10de87c2ea5f38a97f0cf84%40%3Cdev.pulsar.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rca54f4b26ba5e6f2e39732b47ec51640e89f57e3b6a38ac3bab314df%40%3Cdev.pulsar.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rf2e90942996dceebac8296abf39257cfeb5ae918f82f7af3d37a48c5%40%3Cdev.pulsar.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r8e545559781231a83bf0644548c660255859e52feb86bbfcd42590da%40%3Cdev.pulsar.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/ra49cb62105154e4795b259c79a6b27d63bfa2ab5787ff8529b089550%40%3Cdev.pulsar.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/ra49cb62105154e4795b259c79a6b27d63bfa2ab5787ff8529b089550%40%3Cusers.pulsar.apache.org%3E"},{"type":"ADVISORY","url":"https://lists.apache.org/thread.html/r347650d15a3e9c5f58b83e918b6ad6dedc2a63d3eb63da8e6a7be87e%40%3Cusers.pulsar.apache.org%3E"},{"type":"ADVISORY","url":"https://lists.apache.org/thread.html/r9a12b4da2f26ce9b8f7e7117a879efaa973dab7e54717bbc7923fab1%40%3Cdev.pulsar.apache.org%3E"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/pulsar","events":[{"introduced":"0"},{"fixed":"8ea4a39dc8bf6f2f23a160688bb70a80f6acfd4d"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.7.1"}]}}],"versions":["v1.14","v1.15","v1.16","v1.17","v1.18","v2.7.0","v2.7.0-candidate-1","v2.7.0-candidate-2"],"database_specific":{"vanir_signatures_modified":"2026-04-11T23:34:04Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-22160.json","vanir_signatures":[{"source":"https://github.com/apache/pulsar/commit/8ea4a39dc8bf6f2f23a160688bb70a80f6acfd4d","signature_type":"Line","id":"CVE-2021-22160-9d55e6b8","signature_version":"v1","digest":{"line_hashes":["13343199906080567355327046263291242934","66443402438450600842721076828010474548","231279283207357356727874610342899311949","319498916956910338582968687226893981171","161403434769859326127501472497639239686","29894245584646026771238015833992197731","20442382929230193370094299352671175240","167926599160935949217555517312324160979","3969021539140368944541891706454272987","32587283295654531882861333521281228287","91004435481515443419193846513854177066","69298087081940564135547239642271029440"],"threshold":0.9},"deprecated":false,"target":{"file":"pulsar-testclient/src/main/java/org/apache/pulsar/testclient/PerformanceReader.java"}},{"source":"https://github.com/apache/pulsar/commit/8ea4a39dc8bf6f2f23a160688bb70a80f6acfd4d","signature_type":"Line","id":"CVE-2021-22160-b0d10d38","signature_version":"v1","digest":{"line_hashes":["150554070558514417499956772130572421084","81042947091868430478375905312460657708","140350643460818546930569698686457987620","279993339217558671080547213639038139241","40438349506969206266022438885598088638","240994273641353270766900138467430074642","249848150602551863629820195559969178095","114388734559731466913840283470842103890","74137028872922559046397328053230494802","309510348649781237790210797233191939204","60088706953419712955287304226395659447","312086726970542322389975788197909794936","185219985881079343288820327755166799525","259996328910508419014349793547476559231","266746878558385270347398079658570055549","108116574961733143123286744424636111941"],"threshold":0.9},"deprecated":false,"target":{"file":"pulsar-testclient/src/main/java/org/apache/pulsar/testclient/PerformanceProducer.java"}},{"source":"https://github.com/apache/pulsar/commit/8ea4a39dc8bf6f2f23a160688bb70a80f6acfd4d","signature_type":"Function","id":"CVE-2021-22160-c057f869","signature_version":"v1","digest":{"function_hash":"249431010052407684037984679800576826944","length":4617},"deprecated":false,"target":{"function":"runProducer","file":"pulsar-testclient/src/main/java/org/apache/pulsar/testclient/PerformanceProducer.java"}},{"source":"https://github.com/apache/pulsar/commit/8ea4a39dc8bf6f2f23a160688bb70a80f6acfd4d","signature_type":"Function","id":"CVE-2021-22160-d30c2619","signature_version":"v1","digest":{"function_hash":"62367699578856898966262814562137860027","length":4756},"deprecated":false,"target":{"function":"main","file":"pulsar-testclient/src/main/java/org/apache/pulsar/testclient/PerformanceProducer.java"}},{"source":"https://github.com/apache/pulsar/commit/8ea4a39dc8bf6f2f23a160688bb70a80f6acfd4d","signature_type":"Function","id":"CVE-2021-22160-d4e8e7a1","signature_version":"v1","digest":{"function_hash":"15371671768062587689777100981307781840","length":4218},"deprecated":false,"target":{"function":"main","file":"pulsar-testclient/src/main/java/org/apache/pulsar/testclient/PerformanceReader.java"}},{"source":"https://github.com/apache/pulsar/commit/8ea4a39dc8bf6f2f23a160688bb70a80f6acfd4d","signature_type":"Function","id":"CVE-2021-22160-e989523d","signature_version":"v1","digest":{"function_hash":"29076506231259417791862277699844051517","length":6038},"deprecated":false,"target":{"function":"main","file":"pulsar-testclient/src/main/java/org/apache/pulsar/testclient/PerformanceConsumer.java"}},{"source":"https://github.com/apache/pulsar/commit/8ea4a39dc8bf6f2f23a160688bb70a80f6acfd4d","signature_type":"Line","id":"CVE-2021-22160-f2c25eb6","signature_version":"v1","digest":{"line_hashes":["315918296561430778916718972487219294649","236301574266727452171691663271182076761","237305433814635667659651757466474577476","223759838967229225484273235207262355537","81042947091868430478375905312460657708","275354419579663574289624967921884521025","88879754337558222814257817102398965015","99620886970130100127893055623001985153","16888286943903229450237419816097041717","314199319330254619764114873430769389974","78867072627398220191836105956372158914","77393872620636578277768582351777811010","275457768371539411531594597907303990919","334721492597947173929929384799452976066","235066225110637489107047316112436632736","98953343897439567751173346723823829495","114347808297405791040474398163864695103","68994151577055578642250155515644859371","16528778188835593952030166723637544595","13343199906080567355327046263291242934","66443402438450600842721076828010474548","231279283207357356727874610342899311949","319498916956910338582968687226893981171","161403434769859326127501472497639239686","9733443401807425837851043682533763066","129685832149756618264133011094920751173","42811405211365748759370495089269623473","26872803419165006319125029196579316801","164348516587721373112249114098074074953","116414870759134509870908163383766879700","35491249226478996719171029256320664681","153139514857107773255106204980649731012","30676756902993079196605015995507659803","214976953048886551257514815378931403938","195259773245634568045234530645266735062","153788273095748771715142521791053910035","239731443409064388104952037709017178992","291349518556519671078601533077628955597","269675594130957149545570109543580147008","87854289094761442204014122964086550524","76071528124864795723281629551971562846","17854354127732058366973442221069089543","132085671190099972570594515965622145285","160648024490430223525812054160939074940"],"threshold":0.9},"deprecated":false,"target":{"file":"pulsar-testclient/src/main/java/org/apache/pulsar/testclient/PerformanceConsumer.java"}}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}