{"id":"CVE-2021-21369","details":"Hyperledger Besu is an open-source, MainNet compatible, Ethereum client written in Java. In Besu before version 1.5.1 there is a denial-of-service vulnerability involving the HTTP JSON-RPC API service. If username and password authentication is enabled for the HTTP JSON-RPC API service, then prior to making any requests to an API endpoint the requestor must use the login endpoint to obtain a JSON web token (JWT) using their credentials. A single user can readily overload the login endpoint with invalid requests (incorrect password). As the supplied password is checked for validity on the main vertx event loop and takes a relatively long time this can cause the processing of other valid requests to fail. A valid username is required for this vulnerability to be exposed. This has been fixed in version 1.5.1.","modified":"2026-04-11T23:34:01.670103Z","published":"2021-03-09T18:15:18.047Z","related":["GHSA-qgfj-mjpc-7w3q"],"references":[{"type":"ADVISORY","url":"https://github.com/hyperledger/besu/blob/master/CHANGELOG.md#151"},{"type":"ADVISORY","url":"https://github.com/hyperledger/besu/security/advisories/GHSA-qgfj-mjpc-7w3q"},{"type":"FIX","url":"https://github.com/hyperledger/besu/commit/06e35a58c07a30c0fbdc0aae45a3e8b06b53c022"},{"type":"FIX","url":"https://github.com/hyperledger/besu/pull/1144"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/besu-eth/besu","events":[{"introduced":"0"},{"fixed":"06e35a58c07a30c0fbdc0aae45a3e8b06b53c022"}]},{"type":"GIT","repo":"https://github.com/hyperledger/besu","events":[{"introduced":"0"},{"fixed":"25d2e9de4dc9af16e6d3ccabb2f91b7f7a964a7d"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.5.1"}]}}],"versions":["0.8.0","0.8.1","0.8.2","0.8.3","0.8.4","0.8.5","0.9.0","0.9.1","1.0.0-RC1","1.0.2","1.0.3","1.1.0-RC1","1.1.1","1.1.2","1.1.3","1.1.4","1.2.0-RC1","1.2.1","1.2.2","1.2.3","1.2.4","1.3.0-RC1","1.3.1","1.3.2","1.3.3","1.3.4","1.3.6","1.3.7","1.3.8","1.4.0-RC1","1.4.0-beta1","1.4.0-beta2","1.4.0-beta3","1.4.1","1.4.2","1.4.3","1.4.4","1.4.5-RC1","1.4.5-RC2","1.4.5-RC3","1.4.6-RC1","1.5.0-RC1","1.5.1-RC1","22.10.101","23.1.100"],"database_specific":{"vanir_signatures_modified":"2026-04-11T23:34:01Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-21369.json","vanir_signatures":[{"digest":{"function_hash":"64381713088266366018561196345936539383","length":625},"signature_version":"v1","signature_type":"Function","source":"https://github.com/besu-eth/besu/commit/06e35a58c07a30c0fbdc0aae45a3e8b06b53c022","deprecated":false,"target":{"function":"isPermitted","file":"ethereum/api/src/main/java/org/hyperledger/besu/ethereum/api/jsonrpc/authentication/AuthenticationUtils.java"},"id":"CVE-2021-21369-0a375cd6"},{"digest":{"function_hash":"184698889659266319773508793877608505490","length":126},"signature_version":"v1","signature_type":"Function","source":"https://github.com/besu-eth/besu/commit/06e35a58c07a30c0fbdc0aae45a3e8b06b53c022","deprecated":false,"target":{"function":"getPermissions","file":"ethereum/api/src/test/java/org/hyperledger/besu/ethereum/api/jsonrpc/internal/methods/NetListeningTest.java"},"id":"CVE-2021-21369-0de6d3e9"},{"digest":{"threshold":0.9,"line_hashes":["57102611633249846327663312879881166530","34822510995959030423613782808951809724","15748690476187400368007366156010311705","96331029700653959396743484715452980167","231601594152716623874279391312340387666","307877561683510928330266791625557310931","61076434077285609541988954051372503368","465343570125788745361214934823766249","248519113705415243031887655690494920287","141698439162157606917254402507637021340"]},"signature_version":"v1","signature_type":"Line","source":"https://github.com/besu-eth/besu/commit/06e35a58c07a30c0fbdc0aae45a3e8b06b53c022","deprecated":false,"target":{"file":"ethereum/api/src/main/java/org/hyperledger/besu/ethereum/api/jsonrpc/internal/methods/JsonRpcMethod.java"},"id":"CVE-2021-21369-566cd15e"},{"digest":{"threshold":0.9,"line_hashes":["315106022723391746843393659544390574530","73075871826339432811515457434403761391","161627377251401519145679589746502572400","233281961059050443449833096272147513437","110658845601362063683841242475126994682","188888381525941065975374173224249227181","155312791848823335014288330009814012826","45615583453204153753719763995300268141","98009410264764540819861283241017147056","287026555461489870820554161238863516035","324522678172802621473209781797966055694","230855589882521207449443403601012215405","118822406261765103933389436747845827321","127746470824115764663996296806140274253","141991749203138348720802365878102614167","107109692070258184438598202144688482258","40256149600835442524219629109647108829","244125084856819352952595829882912148068","321169256301661340812682807670756763631","32792164327410758382790304636255166647","143863374670141677960892826897904121428","118256784942360338581688575859391299047","159095408458783265010985773071319344269"]},"signature_version":"v1","signature_type":"Line","source":"https://github.com/besu-eth/besu/commit/06e35a58c07a30c0fbdc0aae45a3e8b06b53c022","deprecated":false,"target":{"file":"ethereum/api/src/main/java/org/hyperledger/besu/ethereum/api/jsonrpc/authentication/AuthenticationUtils.java"},"id":"CVE-2021-21369-8810ce5f"},{"digest":{"threshold":0.9,"line_hashes":["61288609024308634531140162818040757144","43916532171570155322547980632613746471","192876523923028313170493927547319194467","156105854959380448758640360080203659306"]},"signature_version":"v1","signature_type":"Line","source":"https://github.com/besu-eth/besu/commit/06e35a58c07a30c0fbdc0aae45a3e8b06b53c022","deprecated":false,"target":{"file":"ethereum/api/src/test/java/org/hyperledger/besu/ethereum/api/jsonrpc/internal/methods/NetListeningTest.java"},"id":"CVE-2021-21369-ee52a7f8"}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}