SSL verification omitted in OAuth2 credential flow in apache/pulsar
Mar 10th 2022
Pulsar uses Curl to send HTTP(S) requests and typically uses the
tlsAllowInsecure_ global variable (derived from
isTlsAllowInsecureConnection()) to determine whether SSL verification¹ should be enabled/disabled².
In the linked occurances, those checks do not occur and SSL verification is disabled by default which is obviously a security issue for end-users.
This vulnerability is capable of allowing an attacker to intercept and/or modify the GET request that is sent to the
ClientCredentialFlow 'issuer url'.