Vulnerabilites related to linuxfoundation - besu
CVE-2022-36025 (GCVE-0-2022-36025)
Vulnerability from cvelistv5
Published
2022-09-24 02:00
Modified
2025-04-23 16:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Besu is a Java-based Ethereum client. In versions newer than 22.1.3 and prior to 22.7.1, Besu is subject to an Incorrect Conversion between Numeric Types. An error in 32 bit signed and unsigned types in the calculation of available gas in the CALL operations (including DELEGATECALL) results in incorrect gas being passed into called contracts and incorrect gas being returned after call execution. Where the amount of gas makes a difference in the success or failure, or if the gas is a negative 64 bit value, the execution will result in a different state root than expected, resulting in a consensus failure in networks with multiple EVM implementations. In networks with a single EVM implementation this can be used to execute with significantly more gas than then transaction requested, possibly exceeding gas limitations. This issue is patched in version 22.7.1. As a workaround, reverting to version 22.1.3 or earlier will prevent incorrect execution.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| hyperledger | besu |
Version: > 22.1.3, < 22.7.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:51:59.691Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/hyperledger/besu/security/advisories/GHSA-4456-w38r-m53x"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-36025",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:51:08.380684Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T16:55:35.732Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "besu",
"vendor": "hyperledger",
"versions": [
{
"status": "affected",
"version": "\u003e 22.1.3, \u003c 22.7.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Besu is a Java-based Ethereum client. In versions newer than 22.1.3 and prior to 22.7.1, Besu is subject to an Incorrect Conversion between Numeric Types. An error in 32 bit signed and unsigned types in the calculation of available gas in the CALL operations (including DELEGATECALL) results in incorrect gas being passed into called contracts and incorrect gas being returned after call execution. Where the amount of gas makes a difference in the success or failure, or if the gas is a negative 64 bit value, the execution will result in a different state root than expected, resulting in a consensus failure in networks with multiple EVM implementations. In networks with a single EVM implementation this can be used to execute with significantly more gas than then transaction requested, possibly exceeding gas limitations. This issue is patched in version 22.7.1. As a workaround, reverting to version 22.1.3 or earlier will prevent incorrect execution."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-681",
"description": "CWE-681: Incorrect Conversion between Numeric Types",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-196",
"description": "CWE-196: Unsigned to Signed Conversion Error",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-24T02:00:13.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/hyperledger/besu/security/advisories/GHSA-4456-w38r-m53x"
}
],
"source": {
"advisory": "GHSA-4456-w38r-m53x",
"discovery": "UNKNOWN"
},
"title": "Incorrect Conversion between Numeric Types in Besu Ethereum Client",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-36025",
"STATE": "PUBLIC",
"TITLE": "Incorrect Conversion between Numeric Types in Besu Ethereum Client"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "besu",
"version": {
"version_data": [
{
"version_value": "\u003e 22.1.3, \u003c 22.7.1"
}
]
}
}
]
},
"vendor_name": "hyperledger"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Besu is a Java-based Ethereum client. In versions newer than 22.1.3 and prior to 22.7.1, Besu is subject to an Incorrect Conversion between Numeric Types. An error in 32 bit signed and unsigned types in the calculation of available gas in the CALL operations (including DELEGATECALL) results in incorrect gas being passed into called contracts and incorrect gas being returned after call execution. Where the amount of gas makes a difference in the success or failure, or if the gas is a negative 64 bit value, the execution will result in a different state root than expected, resulting in a consensus failure in networks with multiple EVM implementations. In networks with a single EVM implementation this can be used to execute with significantly more gas than then transaction requested, possibly exceeding gas limitations. This issue is patched in version 22.7.1. As a workaround, reverting to version 22.1.3 or earlier will prevent incorrect execution."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-681: Incorrect Conversion between Numeric Types"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-196: Unsigned to Signed Conversion Error"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/hyperledger/besu/security/advisories/GHSA-4456-w38r-m53x",
"refsource": "CONFIRM",
"url": "https://github.com/hyperledger/besu/security/advisories/GHSA-4456-w38r-m53x"
}
]
},
"source": {
"advisory": "GHSA-4456-w38r-m53x",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-36025",
"datePublished": "2022-09-24T02:00:13.000Z",
"dateReserved": "2022-07-15T00:00:00.000Z",
"dateUpdated": "2025-04-23T16:55:35.732Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-21369 (GCVE-0-2021-21369)
Vulnerability from cvelistv5
Published
2021-03-09 18:10
Modified
2024-08-03 18:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-400 - Uncontrolled Resource Consumption
Summary
Hyperledger Besu is an open-source, MainNet compatible, Ethereum client written in Java. In Besu before version 1.5.1 there is a denial-of-service vulnerability involving the HTTP JSON-RPC API service. If username and password authentication is enabled for the HTTP JSON-RPC API service, then prior to making any requests to an API endpoint the requestor must use the login endpoint to obtain a JSON web token (JWT) using their credentials. A single user can readily overload the login endpoint with invalid requests (incorrect password). As the supplied password is checked for validity on the main vertx event loop and takes a relatively long time this can cause the processing of other valid requests to fail. A valid username is required for this vulnerability to be exposed. This has been fixed in version 1.5.1.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| hyperledger | besu |
Version: < 1.5.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:09:15.981Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/hyperledger/besu/security/advisories/GHSA-qgfj-mjpc-7w3q"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/hyperledger/besu/blob/master/CHANGELOG.md#151"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/hyperledger/besu/pull/1144"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/hyperledger/besu/commit/06e35a58c07a30c0fbdc0aae45a3e8b06b53c022"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "besu",
"vendor": "hyperledger",
"versions": [
{
"status": "affected",
"version": "\u003c 1.5.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Hyperledger Besu is an open-source, MainNet compatible, Ethereum client written in Java. In Besu before version 1.5.1 there is a denial-of-service vulnerability involving the HTTP JSON-RPC API service. If username and password authentication is enabled for the HTTP JSON-RPC API service, then prior to making any requests to an API endpoint the requestor must use the login endpoint to obtain a JSON web token (JWT) using their credentials. A single user can readily overload the login endpoint with invalid requests (incorrect password). As the supplied password is checked for validity on the main vertx event loop and takes a relatively long time this can cause the processing of other valid requests to fail. A valid username is required for this vulnerability to be exposed. This has been fixed in version 1.5.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-09T18:10:18",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/hyperledger/besu/security/advisories/GHSA-qgfj-mjpc-7w3q"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/hyperledger/besu/blob/master/CHANGELOG.md#151"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/hyperledger/besu/pull/1144"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/hyperledger/besu/commit/06e35a58c07a30c0fbdc0aae45a3e8b06b53c022"
}
],
"source": {
"advisory": "GHSA-qgfj-mjpc-7w3q",
"discovery": "UNKNOWN"
},
"title": "Potential DoS in Besu HTTP JSON-RPC API",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-21369",
"STATE": "PUBLIC",
"TITLE": "Potential DoS in Besu HTTP JSON-RPC API"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "besu",
"version": {
"version_data": [
{
"version_value": "\u003c 1.5.1"
}
]
}
}
]
},
"vendor_name": "hyperledger"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Hyperledger Besu is an open-source, MainNet compatible, Ethereum client written in Java. In Besu before version 1.5.1 there is a denial-of-service vulnerability involving the HTTP JSON-RPC API service. If username and password authentication is enabled for the HTTP JSON-RPC API service, then prior to making any requests to an API endpoint the requestor must use the login endpoint to obtain a JSON web token (JWT) using their credentials. A single user can readily overload the login endpoint with invalid requests (incorrect password). As the supplied password is checked for validity on the main vertx event loop and takes a relatively long time this can cause the processing of other valid requests to fail. A valid username is required for this vulnerability to be exposed. This has been fixed in version 1.5.1."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400 Uncontrolled Resource Consumption"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/hyperledger/besu/security/advisories/GHSA-qgfj-mjpc-7w3q",
"refsource": "CONFIRM",
"url": "https://github.com/hyperledger/besu/security/advisories/GHSA-qgfj-mjpc-7w3q"
},
{
"name": "https://github.com/hyperledger/besu/blob/master/CHANGELOG.md#151",
"refsource": "MISC",
"url": "https://github.com/hyperledger/besu/blob/master/CHANGELOG.md#151"
},
{
"name": "https://github.com/hyperledger/besu/pull/1144",
"refsource": "MISC",
"url": "https://github.com/hyperledger/besu/pull/1144"
},
{
"name": "https://github.com/hyperledger/besu/commit/06e35a58c07a30c0fbdc0aae45a3e8b06b53c022",
"refsource": "MISC",
"url": "https://github.com/hyperledger/besu/commit/06e35a58c07a30c0fbdc0aae45a3e8b06b53c022"
}
]
},
"source": {
"advisory": "GHSA-qgfj-mjpc-7w3q",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-21369",
"datePublished": "2021-03-09T18:10:18",
"dateReserved": "2020-12-22T00:00:00",
"dateUpdated": "2024-08-03T18:09:15.981Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-41272 (GCVE-0-2021-41272)
Vulnerability from cvelistv5
Published
2021-12-13 21:10
Modified
2024-08-04 03:08
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-681 - Incorrect Conversion between Numeric Types
Summary
Besu is an Ethereum client written in Java. Starting in version 21.10.0, changes in the implementation of the SHL, SHR, and SAR operations resulted in the introduction of a signed type coercion error in values that represent negative values for 32 bit signed integers. Smart contracts that ask for shifts between approximately 2 billion and 4 billion bits (nonsensical but valid values for the operation) will fail to execute and hence fail to validate. In networks where vulnerable versions are mining with other clients or non-vulnerable versions this will result in a fork and the relevant transactions will not be included in the fork. In networks where vulnerable versions are not mining (such as Rinkeby) no fork will result and the validator nodes will stop accepting blocks. In networks where only vulnerable versions are mining the relevant transaction will not be included in any blocks. When the network adds a non-vulnerable version the network will act as in the first case. Besu 21.10.2 contains a patch for this issue. Besu 21.7.4 is not vulnerable and clients can roll back to that version. There is a workaround available: Once a transaction with the relevant shift operations is included in the canonical chain, the only remediation is to make sure all nodes are on non-vulnerable versions.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| hyperledger | besu |
Version: > 21.7.4, < 21.10.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:08:31.638Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/hyperledger/besu/security/advisories/GHSA-7pg2-p5vj-xp5h"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/hyperledger/besu/pull/3039"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/hyperledger/besu/commit/4170524ac3b45185704fcfbdeeb71b0b05dfa0a1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "besu",
"vendor": "hyperledger",
"versions": [
{
"status": "affected",
"version": "\u003e 21.7.4, \u003c 21.10.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Besu is an Ethereum client written in Java. Starting in version 21.10.0, changes in the implementation of the SHL, SHR, and SAR operations resulted in the introduction of a signed type coercion error in values that represent negative values for 32 bit signed integers. Smart contracts that ask for shifts between approximately 2 billion and 4 billion bits (nonsensical but valid values for the operation) will fail to execute and hence fail to validate. In networks where vulnerable versions are mining with other clients or non-vulnerable versions this will result in a fork and the relevant transactions will not be included in the fork. In networks where vulnerable versions are not mining (such as Rinkeby) no fork will result and the validator nodes will stop accepting blocks. In networks where only vulnerable versions are mining the relevant transaction will not be included in any blocks. When the network adds a non-vulnerable version the network will act as in the first case. Besu 21.10.2 contains a patch for this issue. Besu 21.7.4 is not vulnerable and clients can roll back to that version. There is a workaround available: Once a transaction with the relevant shift operations is included in the canonical chain, the only remediation is to make sure all nodes are on non-vulnerable versions."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-681",
"description": "CWE-681: Incorrect Conversion between Numeric Types",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-13T21:10:11",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/hyperledger/besu/security/advisories/GHSA-7pg2-p5vj-xp5h"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/hyperledger/besu/pull/3039"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/hyperledger/besu/commit/4170524ac3b45185704fcfbdeeb71b0b05dfa0a1"
}
],
"source": {
"advisory": "GHSA-7pg2-p5vj-xp5h",
"discovery": "UNKNOWN"
},
"title": "SHL, SHR, and SAR operations trigger native exception at key values in besu",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-41272",
"STATE": "PUBLIC",
"TITLE": "SHL, SHR, and SAR operations trigger native exception at key values in besu"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "besu",
"version": {
"version_data": [
{
"version_value": "\u003e 21.7.4, \u003c 21.10.2"
}
]
}
}
]
},
"vendor_name": "hyperledger"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Besu is an Ethereum client written in Java. Starting in version 21.10.0, changes in the implementation of the SHL, SHR, and SAR operations resulted in the introduction of a signed type coercion error in values that represent negative values for 32 bit signed integers. Smart contracts that ask for shifts between approximately 2 billion and 4 billion bits (nonsensical but valid values for the operation) will fail to execute and hence fail to validate. In networks where vulnerable versions are mining with other clients or non-vulnerable versions this will result in a fork and the relevant transactions will not be included in the fork. In networks where vulnerable versions are not mining (such as Rinkeby) no fork will result and the validator nodes will stop accepting blocks. In networks where only vulnerable versions are mining the relevant transaction will not be included in any blocks. When the network adds a non-vulnerable version the network will act as in the first case. Besu 21.10.2 contains a patch for this issue. Besu 21.7.4 is not vulnerable and clients can roll back to that version. There is a workaround available: Once a transaction with the relevant shift operations is included in the canonical chain, the only remediation is to make sure all nodes are on non-vulnerable versions."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-681: Incorrect Conversion between Numeric Types"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/hyperledger/besu/security/advisories/GHSA-7pg2-p5vj-xp5h",
"refsource": "CONFIRM",
"url": "https://github.com/hyperledger/besu/security/advisories/GHSA-7pg2-p5vj-xp5h"
},
{
"name": "https://github.com/hyperledger/besu/pull/3039",
"refsource": "MISC",
"url": "https://github.com/hyperledger/besu/pull/3039"
},
{
"name": "https://github.com/hyperledger/besu/commit/4170524ac3b45185704fcfbdeeb71b0b05dfa0a1",
"refsource": "MISC",
"url": "https://github.com/hyperledger/besu/commit/4170524ac3b45185704fcfbdeeb71b0b05dfa0a1"
}
]
},
"source": {
"advisory": "GHSA-7pg2-p5vj-xp5h",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-41272",
"datePublished": "2021-12-13T21:10:11",
"dateReserved": "2021-09-15T00:00:00",
"dateUpdated": "2024-08-04T03:08:31.638Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2021-03-09 18:15
Modified
2024-11-21 05:48
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
Hyperledger Besu is an open-source, MainNet compatible, Ethereum client written in Java. In Besu before version 1.5.1 there is a denial-of-service vulnerability involving the HTTP JSON-RPC API service. If username and password authentication is enabled for the HTTP JSON-RPC API service, then prior to making any requests to an API endpoint the requestor must use the login endpoint to obtain a JSON web token (JWT) using their credentials. A single user can readily overload the login endpoint with invalid requests (incorrect password). As the supplied password is checked for validity on the main vertx event loop and takes a relatively long time this can cause the processing of other valid requests to fail. A valid username is required for this vulnerability to be exposed. This has been fixed in version 1.5.1.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| linuxfoundation | besu | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:linuxfoundation:besu:*:*:*:*:*:*:*:*",
"matchCriteriaId": "236DADDD-59BD-4AD7-9B91-16F5A30FFA0D",
"versionEndExcluding": "1.5.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Hyperledger Besu is an open-source, MainNet compatible, Ethereum client written in Java. In Besu before version 1.5.1 there is a denial-of-service vulnerability involving the HTTP JSON-RPC API service. If username and password authentication is enabled for the HTTP JSON-RPC API service, then prior to making any requests to an API endpoint the requestor must use the login endpoint to obtain a JSON web token (JWT) using their credentials. A single user can readily overload the login endpoint with invalid requests (incorrect password). As the supplied password is checked for validity on the main vertx event loop and takes a relatively long time this can cause the processing of other valid requests to fail. A valid username is required for this vulnerability to be exposed. This has been fixed in version 1.5.1."
},
{
"lang": "es",
"value": "Hyperledger Besu es un cliente Ethereum de c\u00f3digo abierto, compatible con MainNet, escrito en Java.\u0026#xa0;En Besu versiones anteriores a 1.5.1 se presenta una vulnerabilidad de denegaci\u00f3n de servicio que involucra al servicio HTTP JSON-RPC API .\u0026#xa0;Si la autenticaci\u00f3n de nombre de usuario y contrase\u00f1a est\u00e1 habilitada para el servicio de HTTP JSON-RPC API , antes de realizar cualquier petici\u00f3n a un endpoint de la API, el solicitante debe usar el endpoint de inicio de sesi\u00f3n para obtener un token web JSON (JWT) con sus credenciales.\u0026#xa0;Un solo usuario puede sobrecargar f\u00e1cilmente el endpoint de inicio de sesi\u00f3n con peticiones no v\u00e1lidas (contrase\u00f1a incorrecta).\u0026#xa0;Como se comprueba la validez de la contrase\u00f1a proporcionada en el bucle de eventos principal de vertx y lleva un tiempo relativamente largo, esto puede causar que el procesamiento de otras peticiones v\u00e1lidas presenten un fallo.\u0026#xa0;Es requerido un nombre de usuario v\u00e1lido para que se exponga esta vulnerabilidad.\u0026#xa0;Esto ha sido corregido en la versi\u00f3n 1.5.1"
}
],
"id": "CVE-2021-21369",
"lastModified": "2024-11-21T05:48:12.877",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-03-09T18:15:18.047",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/hyperledger/besu/blob/master/CHANGELOG.md#151"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/hyperledger/besu/commit/06e35a58c07a30c0fbdc0aae45a3e8b06b53c022"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/hyperledger/besu/pull/1144"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/hyperledger/besu/security/advisories/GHSA-qgfj-mjpc-7w3q"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/hyperledger/besu/blob/master/CHANGELOG.md#151"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/hyperledger/besu/commit/06e35a58c07a30c0fbdc0aae45a3e8b06b53c022"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/hyperledger/besu/pull/1144"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/hyperledger/besu/security/advisories/GHSA-qgfj-mjpc-7w3q"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-12-13 21:15
Modified
2024-11-21 06:25
Severity ?
Summary
Besu is an Ethereum client written in Java. Starting in version 21.10.0, changes in the implementation of the SHL, SHR, and SAR operations resulted in the introduction of a signed type coercion error in values that represent negative values for 32 bit signed integers. Smart contracts that ask for shifts between approximately 2 billion and 4 billion bits (nonsensical but valid values for the operation) will fail to execute and hence fail to validate. In networks where vulnerable versions are mining with other clients or non-vulnerable versions this will result in a fork and the relevant transactions will not be included in the fork. In networks where vulnerable versions are not mining (such as Rinkeby) no fork will result and the validator nodes will stop accepting blocks. In networks where only vulnerable versions are mining the relevant transaction will not be included in any blocks. When the network adds a non-vulnerable version the network will act as in the first case. Besu 21.10.2 contains a patch for this issue. Besu 21.7.4 is not vulnerable and clients can roll back to that version. There is a workaround available: Once a transaction with the relevant shift operations is included in the canonical chain, the only remediation is to make sure all nodes are on non-vulnerable versions.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/hyperledger/besu/commit/4170524ac3b45185704fcfbdeeb71b0b05dfa0a1 | Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/hyperledger/besu/pull/3039 | Issue Tracking, Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/hyperledger/besu/security/advisories/GHSA-7pg2-p5vj-xp5h | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/hyperledger/besu/commit/4170524ac3b45185704fcfbdeeb71b0b05dfa0a1 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/hyperledger/besu/pull/3039 | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/hyperledger/besu/security/advisories/GHSA-7pg2-p5vj-xp5h | Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| linuxfoundation | besu | 21.10.0 | |
| linuxfoundation | besu | 21.10.0 | |
| linuxfoundation | besu | 21.10.0 | |
| linuxfoundation | besu | 21.10.0 | |
| linuxfoundation | besu | 21.10.0 | |
| linuxfoundation | besu | 21.10.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:linuxfoundation:besu:21.10.0:-:*:*:*:*:*:*",
"matchCriteriaId": "F2FDDEA0-D513-4C33-8001-83A2DE4CEAEE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:linuxfoundation:besu:21.10.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "8A6E500F-A15A-432C-BA08-CEF7868B12C3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:linuxfoundation:besu:21.10.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "B2CE0FEE-071A-4BDD-BAD6-41F2DB7F52A9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:linuxfoundation:besu:21.10.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "918662C1-AC2E-49AE-9486-916291AE325E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:linuxfoundation:besu:21.10.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "AF3AA73B-FA49-4C84-A6B3-18D04A3154AE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:linuxfoundation:besu:21.10.1:*:*:*:*:*:*:*",
"matchCriteriaId": "CA39AB7F-5479-458A-A602-53603138DF6F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Besu is an Ethereum client written in Java. Starting in version 21.10.0, changes in the implementation of the SHL, SHR, and SAR operations resulted in the introduction of a signed type coercion error in values that represent negative values for 32 bit signed integers. Smart contracts that ask for shifts between approximately 2 billion and 4 billion bits (nonsensical but valid values for the operation) will fail to execute and hence fail to validate. In networks where vulnerable versions are mining with other clients or non-vulnerable versions this will result in a fork and the relevant transactions will not be included in the fork. In networks where vulnerable versions are not mining (such as Rinkeby) no fork will result and the validator nodes will stop accepting blocks. In networks where only vulnerable versions are mining the relevant transaction will not be included in any blocks. When the network adds a non-vulnerable version the network will act as in the first case. Besu 21.10.2 contains a patch for this issue. Besu 21.7.4 is not vulnerable and clients can roll back to that version. There is a workaround available: Once a transaction with the relevant shift operations is included in the canonical chain, the only remediation is to make sure all nodes are on non-vulnerable versions."
},
{
"lang": "es",
"value": "Besu es un cliente de Ethereum escrito en Java. A partir de la versi\u00f3n 21.10.0, los cambios en la implementaci\u00f3n de las operaciones SHL, SHR y SAR resultaron en la introducci\u00f3n de un error de coerci\u00f3n de tipo con signo en valores que representan valores negativos para enteros con signo de 32 bits. Los contratos inteligentes que piden desplazamientos entre aproximadamente 2.000 millones y 4.000 millones de bits (valores sin sentido pero v\u00e1lidos para la operaci\u00f3n) fallar\u00e1n en la ejecuci\u00f3n y, por tanto, en la comprobaci\u00f3n. En las redes en las que las versiones vulnerables est\u00e9n minando con otros clientes o versiones no vulnerables ser\u00e1 producida una bifurcaci\u00f3n y las transacciones correspondientes no ser\u00e1n incluidas en la bifurcaci\u00f3n. En redes donde las versiones vulnerables no est\u00e1n minando (como Rinkeby) no ser\u00e1 producida ninguna bifurcaci\u00f3n y los nodos comprobadores dejar\u00e1n de aceptar bloques. En las redes en las que s\u00f3lo minan las versiones vulnerables, la transacci\u00f3n correspondiente no ser\u00e1 incluida en ning\u00fan bloque. Cuando la red a\u00f1ada una versi\u00f3n no vulnerable la red actuar\u00e1 como en el primer caso. Besu versi\u00f3n 21.10.2 contiene un parche para este problema. Besu versi\u00f3n 21.7.4 no es vulnerable y los clientes pueden volver a esa versi\u00f3n. Se presenta una soluci\u00f3n disponible: Una vez que una transacci\u00f3n con las operaciones de cambio pertinentes es incluida en la cadena can\u00f3nica, la \u00fanica soluci\u00f3n es asegurarse de que todos los nodos est\u00e1n en versiones no vulnerables"
}
],
"id": "CVE-2021-41272",
"lastModified": "2024-11-21T06:25:56.277",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2021-12-13T21:15:09.083",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/hyperledger/besu/commit/4170524ac3b45185704fcfbdeeb71b0b05dfa0a1"
},
{
"source": "security-advisories@github.com",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/hyperledger/besu/pull/3039"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/hyperledger/besu/security/advisories/GHSA-7pg2-p5vj-xp5h"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/hyperledger/besu/commit/4170524ac3b45185704fcfbdeeb71b0b05dfa0a1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/hyperledger/besu/pull/3039"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/hyperledger/besu/security/advisories/GHSA-7pg2-p5vj-xp5h"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-681"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-09-24 02:15
Modified
2024-11-21 07:12
Severity ?
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Summary
Besu is a Java-based Ethereum client. In versions newer than 22.1.3 and prior to 22.7.1, Besu is subject to an Incorrect Conversion between Numeric Types. An error in 32 bit signed and unsigned types in the calculation of available gas in the CALL operations (including DELEGATECALL) results in incorrect gas being passed into called contracts and incorrect gas being returned after call execution. Where the amount of gas makes a difference in the success or failure, or if the gas is a negative 64 bit value, the execution will result in a different state root than expected, resulting in a consensus failure in networks with multiple EVM implementations. In networks with a single EVM implementation this can be used to execute with significantly more gas than then transaction requested, possibly exceeding gas limitations. This issue is patched in version 22.7.1. As a workaround, reverting to version 22.1.3 or earlier will prevent incorrect execution.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| linuxfoundation | besu | * | |
| linuxfoundation | besu | 22.4.0 | |
| linuxfoundation | besu | 22.4.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:linuxfoundation:besu:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CF3DBB75-E403-452E-814C-B97287A514AE",
"versionEndExcluding": "22.7.1",
"versionStartIncluding": "22.4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:linuxfoundation:besu:22.4.0:-:*:*:*:*:*:*",
"matchCriteriaId": "0E64BDC7-01F3-4D3D-9946-F00E39AEF72A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:linuxfoundation:besu:22.4.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "43631E60-9030-4927-95DC-9B0BBC022BD1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Besu is a Java-based Ethereum client. In versions newer than 22.1.3 and prior to 22.7.1, Besu is subject to an Incorrect Conversion between Numeric Types. An error in 32 bit signed and unsigned types in the calculation of available gas in the CALL operations (including DELEGATECALL) results in incorrect gas being passed into called contracts and incorrect gas being returned after call execution. Where the amount of gas makes a difference in the success or failure, or if the gas is a negative 64 bit value, the execution will result in a different state root than expected, resulting in a consensus failure in networks with multiple EVM implementations. In networks with a single EVM implementation this can be used to execute with significantly more gas than then transaction requested, possibly exceeding gas limitations. This issue is patched in version 22.7.1. As a workaround, reverting to version 22.1.3 or earlier will prevent incorrect execution."
},
{
"lang": "es",
"value": "Besu es un cliente Ethereum basado en Java. En las versiones m\u00e1s recientes que 22.1.3 y anteriores a 22.7.1, Besu est\u00e1 sujeto a una Conversi\u00f3n Incorrecta entre Tipos Num\u00e9ricos. Un error en los tipos con signo y sin signo de 32 bits en el c\u00e1lculo del gas disponible en las operaciones CALL (incluyendo DELEGATECALL) provoca que sea pasado gas incorrecto a los contratos llamados y que sea devuelto gas incorrecto tras la ejecuci\u00f3n de la llamada. Cuando la cantidad de gas marca una diferencia en el \u00e9xito o el fracaso, o si el gas es un valor negativo de 64 bits, la ejecuci\u00f3n resultar\u00e1 a un root state diferente a lo esperado, resultando en un fallo de consenso en redes con m\u00faltiples implementaciones de EVM. En redes con una sola implementaci\u00f3n de EVM, esto puede ser usado para ejecutar con un gas significativamente mayor que la transacci\u00f3n solicitada, posiblemente excediendo las limitaciones de gas. Este problema est\u00e1 parcheado en versi\u00f3n 22.7.1. Como mitigaci\u00f3n, volver a versi\u00f3n 22.1.3 o anterior evitar\u00e1 una ejecuci\u00f3n incorrecta.\n"
}
],
"id": "CVE-2022-36025",
"lastModified": "2024-11-21T07:12:12.667",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.2,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-09-24T02:15:09.587",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/hyperledger/besu/security/advisories/GHSA-4456-w38r-m53x"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/hyperledger/besu/security/advisories/GHSA-4456-w38r-m53x"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-196"
},
{
"lang": "en",
"value": "CWE-681"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-681"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}