CVE-2021-40797

CWE-772 CWE-770 — Allocation without Limits8 documents7 sources

Severity

6.5MEDIUM

EPSS

0.4%

top 40.32%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openstack Neutron

Timeline

PublishedSep 8

Latest updateMay 10

Description

An issue was discovered in the routes middleware in OpenStack Neutron before 16.4.1, 17.x before 17.2.1, and 18.x before 18.1.1. By making API requests involving nonexistent controllers, an authenticated user may cause the API worker to consume increasing amounts of memory, resulting in API performance degradation or denial of service.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶NVDopenstack/neutron17.0.0 — 17.2.1+2

▶PyPIneutron17.0.0 — 17.2.1+2

▶Debianneutron< 2:17.2.1-0+deb11u1+3

Patches

Patch: www.openwall.com ↗Patch: security.openstack.org ↗Patch: www.openwall.com ↗

🔴Vulnerability Details

OSV

OpenStack Neutron Denial of Service vulnerability↗2022-05-24

▶

GHSA

OpenStack Neutron Denial of Service vulnerability↗2022-05-24

▶

OSV

CVE-2021-40797: An issue was discovered in the routes middleware in OpenStack Neutron before 16↗2021-09-08

▶

CVEList

CVE-2021-40797: An issue was discovered in the routes middleware in OpenStack Neutron before 16↗2021-09-08

▶

📋Vendor Advisories

Ubuntu

OpenStack Neutron vulnerabilities↗2023-05-10

▶

Red Hat

openstack-neutron: Routes middleware memory leak for nonexistent controllers↗2021-09-08

▶

Debian

CVE-2021-40797: neutron - An issue was discovered in the routes middleware in OpenStack Neutron before 16....↗2021

▶