CVE-2021-21369
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2021-21369
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-21369.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2021-21369
- Related
- Published
- 2021-03-09T18:15:18Z
- Modified
- 2025-01-15T01:47:43.565115Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
Hyperledger Besu is an open-source, MainNet compatible, Ethereum client written in Java. In Besu before version 1.5.1 there is a denial-of-service vulnerability involving the HTTP JSON-RPC API service. If username and password authentication is enabled for the HTTP JSON-RPC API service, then prior to making any requests to an API endpoint the requestor must use the login endpoint to obtain a JSON web token (JWT) using their credentials. A single user can readily overload the login endpoint with invalid requests (incorrect password). As the supplied password is checked for validity on the main vertx event loop and takes a relatively long time this can cause the processing of other valid requests to fail. A valid username is required for this vulnerability to be exposed. This has been fixed in version 1.5.1.
- References
Affected packages
Git / github.com/hyperledger/besu
Affected ranges
- Type
- GIT
- Repo
- https://github.com/hyperledger/besu
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedFixed