CVE-2021-21369
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2021-21369
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-21369.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2021-21369
- Related
- Published
- 2021-03-09T18:15:18.047Z
- Modified
- 2025-11-14T11:13:38.918841Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
Hyperledger Besu is an open-source, MainNet compatible, Ethereum client written in Java. In Besu before version 1.5.1 there is a denial-of-service vulnerability involving the HTTP JSON-RPC API service. If username and password authentication is enabled for the HTTP JSON-RPC API service, then prior to making any requests to an API endpoint the requestor must use the login endpoint to obtain a JSON web token (JWT) using their credentials. A single user can readily overload the login endpoint with invalid requests (incorrect password). As the supplied password is checked for validity on the main vertx event loop and takes a relatively long time this can cause the processing of other valid requests to fail. A valid username is required for this vulnerability to be exposed. This has been fixed in version 1.5.1.
- References
Affected packages
Git / github.com/hyperledger/besu
Affected ranges
- Type
- GIT
- Repo
- https://github.com/hyperledger/besu
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
0.*
0.8.0
0.8.1
0.8.2
0.8.3
0.8.4
0.8.5
0.9.0
0.9.1
1.*
1.0.0-RC1
1.0.2
1.0.3
1.1.0-RC1
1.1.1
1.1.2
1.1.3
1.1.4
1.2.0-RC1
1.2.1
1.2.2
1.2.3
1.2.4
1.3.0-RC1
1.3.1
1.3.2
1.3.3
1.3.4
1.3.6
1.3.7
1.3.8
1.4.0-RC1
1.4.0-beta1
1.4.0-beta2
1.4.0-beta3
1.4.1
1.4.2
1.4.3
1.4.4
1.4.5-RC1
1.4.5-RC2
1.4.5-RC3
1.4.6-RC1
1.5.0-RC1
22.*
22.10.101
23.*
23.1.100
Database specific
vanir_signatures
[
{
"digest": {
"function_hash": "64381713088266366018561196345936539383",
"length": 625.0
},
"source": "https://github.com/hyperledger/besu/commit/06e35a58c07a30c0fbdc0aae45a3e8b06b53c022",
"deprecated": false,
"id": "CVE-2021-21369-6cd3f6ae",
"signature_type": "Function",
"signature_version": "v1",
"target": {
"function": "isPermitted",
"file": "ethereum/api/src/main/java/org/hyperledger/besu/ethereum/api/jsonrpc/authentication/AuthenticationUtils.java"
}
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"61288609024308634531140162818040757144",
"43916532171570155322547980632613746471",
"192876523923028313170493927547319194467",
"156105854959380448758640360080203659306"
]
},
"source": "https://github.com/hyperledger/besu/commit/06e35a58c07a30c0fbdc0aae45a3e8b06b53c022",
"deprecated": false,
"id": "CVE-2021-21369-8fdf9406",
"signature_type": "Line",
"signature_version": "v1",
"target": {
"file": "ethereum/api/src/test/java/org/hyperledger/besu/ethereum/api/jsonrpc/internal/methods/NetListeningTest.java"
}
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"315106022723391746843393659544390574530",
"73075871826339432811515457434403761391",
"161627377251401519145679589746502572400",
"233281961059050443449833096272147513437",
"110658845601362063683841242475126994682",
"188888381525941065975374173224249227181",
"155312791848823335014288330009814012826",
"45615583453204153753719763995300268141",
"98009410264764540819861283241017147056",
"287026555461489870820554161238863516035",
"324522678172802621473209781797966055694",
"230855589882521207449443403601012215405",
"118822406261765103933389436747845827321",
"127746470824115764663996296806140274253",
"141991749203138348720802365878102614167",
"107109692070258184438598202144688482258",
"40256149600835442524219629109647108829",
"244125084856819352952595829882912148068",
"321169256301661340812682807670756763631",
"32792164327410758382790304636255166647",
"143863374670141677960892826897904121428",
"118256784942360338581688575859391299047",
"159095408458783265010985773071319344269"
]
},
"source": "https://github.com/hyperledger/besu/commit/06e35a58c07a30c0fbdc0aae45a3e8b06b53c022",
"deprecated": false,
"id": "CVE-2021-21369-9d57488f",
"signature_type": "Line",
"signature_version": "v1",
"target": {
"file": "ethereum/api/src/main/java/org/hyperledger/besu/ethereum/api/jsonrpc/authentication/AuthenticationUtils.java"
}
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"57102611633249846327663312879881166530",
"34822510995959030423613782808951809724",
"15748690476187400368007366156010311705",
"96331029700653959396743484715452980167",
"231601594152716623874279391312340387666",
"307877561683510928330266791625557310931",
"61076434077285609541988954051372503368",
"465343570125788745361214934823766249",
"248519113705415243031887655690494920287",
"141698439162157606917254402507637021340"
]
},
"source": "https://github.com/hyperledger/besu/commit/06e35a58c07a30c0fbdc0aae45a3e8b06b53c022",
"deprecated": false,
"id": "CVE-2021-21369-c34db188",
"signature_type": "Line",
"signature_version": "v1",
"target": {
"file": "ethereum/api/src/main/java/org/hyperledger/besu/ethereum/api/jsonrpc/internal/methods/JsonRpcMethod.java"
}
},
{
"digest": {
"function_hash": "184698889659266319773508793877608505490",
"length": 126.0
},
"source": "https://github.com/hyperledger/besu/commit/06e35a58c07a30c0fbdc0aae45a3e8b06b53c022",
"deprecated": false,
"id": "CVE-2021-21369-c834f2e3",
"signature_type": "Function",
"signature_version": "v1",
"target": {
"function": "getPermissions",
"file": "ethereum/api/src/test/java/org/hyperledger/besu/ethereum/api/jsonrpc/internal/methods/NetListeningTest.java"
}
}
]