CVE-2021-29451
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2021-29451
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-29451.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2021-29451
- Aliases
- Related
- Published
- 2021-04-16T22:15:14.233Z
- Modified
- 2025-11-20T11:38:28.619005Z
- Severity
-
- 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
- Summary
- [none]
- Details
-
Portofino is an open source web development framework. Portofino before version 5.2.1 did not properly verify the signature of JSON Web Tokens. This allows forging a valid JWT. The issue will be patched in the upcoming 5.2.1 release.
- References
Affected packages
Git / github.com/manydesigns/portofino
Affected ranges
- Type
- GIT
- Repo
- https://github.com/manydesigns/portofino
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
4.*
4.0.0
4.0.1
4.0.10
4.0.2
4.0.3
4.0.4
4.0.5
4.0.6
4.0.7
4.0.8
4.0.9
4.0.beta1
4.0.beta2
4.0.beta3
4.0.beta4
4.0.beta5
4.0.beta6
4.0.beta7
4.0.rc1
4.0.rc2
4.0.rc3
4.0.rc4
4.0.rc5
4.0.rc6
4.0.rc7
4.0.rc8
4.1
4.1.1
4.1.2
4.1.3
4.1.beta1
4.1.beta2
4.1.beta3
4.1.beta4
4.1.beta5
4.1.beta6
4.2
4.2.1
4.2.2
4.2.3
5.*
5.0-alpha.2
5.0-beta.1
5.0.0
5.0.1
5.0.2
5.0.3
5.1.0
5.1.1
5.1.2
5.1.3
5.1.4
5.2-RC1
5.2.0
Database specific
vanir_signatures
[
{
"signature_type": "Function",
"source": "https://github.com/manydesigns/portofino/commit/8c754a0ad234555e813dcbf9e57d637f9f23d8fb",
"id": "CVE-2021-29451-2560587e",
"signature_version": "v1",
"target": {
"file": "portofino-core/src/main/java/com/manydesigns/portofino/shiro/AbstractPortofinoRealm.java",
"function": "extractPrincipalFromWebToken"
},
"deprecated": false,
"digest": {
"function_hash": "141322969805560288871577444896735620335",
"length": 715.0
}
},
{
"signature_type": "Line",
"source": "https://github.com/manydesigns/portofino/commit/8c754a0ad234555e813dcbf9e57d637f9f23d8fb",
"id": "CVE-2021-29451-9cf3eccb",
"signature_version": "v1",
"target": {
"file": "portofino-core/src/main/java/com/manydesigns/portofino/shiro/AbstractPortofinoRealm.java"
},
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"15900513510547366107223776206875115124",
"26039227727501982742739733518517470805",
"263965540314289591177238528356334531321",
"34640008619900967385022735126404535186",
"56201910954737050915540142485105777945",
"46892763502352582972166688450090913724",
"242727743996252305700707362619988265736",
"78374941452588086761477626765977442458",
"245523448944291164094127665778744559275",
"231407925247793714683297951750019516414",
"192259986345102780249517187823404256451",
"307291406416778154578703077818255715550",
"310316670659533062983213146885662735896",
"147042180282165835640744495835920526384",
"241549570988009870386515562068015244831",
"255436138018100681615315478331002201211",
"215504118029276891190797224639299984427",
"218286371992736902393304921606497053630"
]
}
},
{
"signature_type": "Line",
"source": "https://github.com/manydesigns/portofino/commit/8c754a0ad234555e813dcbf9e57d637f9f23d8fb",
"id": "CVE-2021-29451-aa91b60e",
"signature_version": "v1",
"target": {
"file": "dispatcher/src/main/java/com/manydesigns/portofino/dispatcher/security/jwt/JWTRealm.java"
},
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"154632233226431257115924754845279259361",
"229101360517188178793922346604677038731",
"282253326813037747866732023504652009785",
"46892763502352582972166688450090913724",
"242727743996252305700707362619988265736",
"87547318534919822325194499934361483454",
"38476329351522647137813291969970393051",
"185997668655876916161753665061404947638",
"222484476783586277386583450790271186081",
"13437620745830202459290455651188957507",
"164237610865250894511345364163710649290",
"24583194819651907583133877699570278367",
"172405037911253773038717583981896429852",
"317343983647700348895365512060822314074",
"158398849797909265704875928922689690583"
]
}
}
]