For folks on Pulsar 2.6 using token-based authentication, since there is no 2.6 version with the CVE fix yet available, you are welcome to use our Pulsar Docker images which contain the fix and which we have confirmed resolves the CVE:
- datastax/pulsar:2.6.2_1.0.1 <https://hub.docker.com/layers/datastax/pulsar/2.6.2_1.0.1/images/sha256-598c4a99f4716de43838657b741b92f0310cea8539b9538659d4657ef8aaee17?context=explore> - datastax/pulsar-all:2.6.2_1.0.1 <https://hub.docker.com/layers/datastax/pulsar-all/2.6.2_1.0.1/images/sha256-dfb4fa500372c17e009427322fd84a6302d7a4bf716cd511c103449756bad79f?context=explore> The fix <https://github.com/apache/pulsar/commit/67e7e0cd23157ebbc8c18f40ce0eb87f600dafb6> has been committed to branch-2.6 (by Enrico). We (DataStax) are looking to help get an official 2.6 release out for this vulnerability fix ASAP. Chris On Tue, 25 May 2021 at 09:27, PengHui Li <peng...@apache.org> wrote: > CVE-2021-22160 Apache Pulsar Information Disclosure > > Severity: High > > Versions Affected: > Apache Pulsar < 2.7.1 > > Description: > If Apache Pulsar is configured to authenticate clients using tokens > based on JSON Web Tokens (JWT), the signature of the token is not > validated if the algorithm of the presented token is set to "none". > This allows an attacker to connect to Pulsar instances as any user > (incl. admins). > > Mitigation: > Users of the affected versions should apply one of the following > mitigations: > Upgrade to Apache Pulsar 2.7.1 or later > > Credit: > This issue was identified by Peter Stöckli >
