Is CVE-2021-22160 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Apache Software Foundation Pulsar

CVE-2021-22160

If Apache Pulsar is configured to authenticate clients using tokens based on JSON Web Tokens (JWT), the signature of the token is not validated if the algorithm of the presented token is set to "none". This allows an attacker to connect to…

EPSS: 0.529 (98.8th percentile) — read the EPSS interpretation.

Affected products

Apache Software Foundation Pulsar — versions Apache Pulsar

Public proof-of-concept exploits

p-/p-

References

lists.apache.org/thread.html/r347650d15a3e9c5f58b83e918b6ad6dedc2a63d3eb63da8e6… (x_refsource_MISC)
[pulsar-dev] 20210527 Cutting 2.6.4 release to address CVE-2021-22160 (mailing-list, x_refsource_MLIST)
[pulsar-dev] 20210527 Re: [SECURITY] [CVE-2021-22160] Authentication with JWT allows use of "none"-algorithm (mailing-list, x_refsource_MLIST)
[pulsar-users] 20210527 Re: [SECURITY] [CVE-2021-22160] Authentication with JWT allows use of "none"-algorithm (mailing-list, x_refsource_MLIST)
[pulsar-dev] 20210527 Re: Cutting 2.6.4 release to address CVE-2021-22160 (mailing-list, x_refsource_MLIST)
Re: [SECURITY] [CVE-2021-22160] Authentication with JWT allows use of “none”-algorithm (mailing-list, x_refsource_MLIST)
[pulsar-dev] 20210531 Re: [DISCUSS] Propose More Formal Policy for Security Patches and EOL of Versions (mailing-list, x_refsource_MLIST)
[pulsar-dev] 20210604 Re: [DISCUSS] Propose More Formal Policy for Security Patches and EOL of Versions (mailing-list, x_refsource_MLIST)

Frequently asked questions

What is CVE-2021-22160?: CVE-2021-22160 is a vulnerability in Apache Software Foundation Pulsar. Published 2021-05-26.
Is CVE-2021-22160 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.