CVE-2021-40797
published 2021-09-08CVE-2021-40797: An issue was discovered in the routes middleware in OpenStack Neutron before 16.4.1, 17.x before 17.2.1, and 18.x before 18.1.1. By making API requests…
PriorityP433medium6.5CVSS 3.1
AVNACLPRLUINSUCNINAH
EPSS
1.70%
74.4th percentile
An issue was discovered in the routes middleware in OpenStack Neutron before 16.4.1, 17.x before 17.2.1, and 18.x before 18.1.1. By making API requests involving nonexistent controllers, an authenticated user may cause the API worker to consume increasing amounts of memory, resulting in API performance degradation or denial of service.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | neutron | < neutron 2:19.0.0-1 (bookworm) | neutron 2:19.0.0-1 (bookworm) |
| openstack | neutron | < 16.4.1 | 16.4.1 |
| openstack | neutron | >= 0 < 2:17.2.1-0+deb11u1 | 2:17.2.1-0+deb11u1 |
| openstack | neutron | >= 0 < 2:19.0.0-1 | 2:19.0.0-1 |
| openstack | neutron | >= 0 < 2:19.0.0-1 | 2:19.0.0-1 |
| openstack | neutron | >= 0 < 2:19.0.0-1 | 2:19.0.0-1 |
| openstack | neutron | >= 0 < 16.4.1 | 16.4.1 |
| openstack | neutron | >= 0 < 2:12.1.1-0ubuntu8.1 | 2:12.1.1-0ubuntu8.1 |
| openstack | neutron | >= 0 < 2:16.4.2-0ubuntu6.2 | 2:16.4.2-0ubuntu6.2 |
| openstack | neutron | >= 0 < 2:20.3.0-0ubuntu1.1 | 2:20.3.0-0ubuntu1.1 |
| openstack | neutron | >= 17.0.0 < 17.2.1 | 17.2.1 |
| openstack | neutron | >= 17.0.0 < 17.2.1 | 17.2.1 |
| openstack | neutron | >= 18.0.0 < 18.1.1 | 18.1.1 |
| openstack | neutron | >= 18.0.0 < 18.1.1 | 18.1.1 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:N/I:N/A:P
osv7.1HIGH
vendor_ubuntu7.1HIGH
vendor_debian6.5LOW
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
neutron vulnerabilities
osv·2023-05-10·CVSS 7.1
CVE-2021-20267 [HIGH] neutron vulnerabilities
neutron vulnerabilities
David Sinquin discovered that OpenStack Neutron incorrectly handled the
default Open vSwitch firewall rules. An attacker could possibly use this
issue to impersonate the IPv6 addresses of other systems on the network.
This issue only affected Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS.
(CVE-2021-20267)
Jake Yip and Justin Mammarella discovered that OpenStack Neutron
incorrectly handled the linuxbridge driver when ebtables-nft is being
used. An attacker could possibly use this issue to impersonate the hardware
addresss of other systems on the network. This issue only affected Ubuntu
18.04 LTS, and Ubuntu 20.04 LTS. (CVE-2021-38598)
Pavel Toporkov discovered that OpenStack Neutron incorrectly handled
extra_dhcp_opts values. An attacker could possibly use this issue to
OSV
OpenStack Neutron Denial of Service vulnerability
osv·2022-05-24
CVE-2021-40797 [HIGH] OpenStack Neutron Denial of Service vulnerability
OpenStack Neutron Denial of Service vulnerability
An issue was discovered in the routes middleware in OpenStack Neutron before 16.4.1, 17.x before 17.2.1, and 18.x before 18.1.1. By making API requests involving nonexistent controllers, an authenticated user may cause the API worker to consume increasing amounts of memory, resulting in API performance degradation or denial of service.
GHSA
OpenStack Neutron Denial of Service vulnerability
ghsa·2022-05-24
CVE-2021-40797 [HIGH] CWE-772 OpenStack Neutron Denial of Service vulnerability
OpenStack Neutron Denial of Service vulnerability
An issue was discovered in the routes middleware in OpenStack Neutron before 16.4.1, 17.x before 17.2.1, and 18.x before 18.1.1. By making API requests involving nonexistent controllers, an authenticated user may cause the API worker to consume increasing amounts of memory, resulting in API performance degradation or denial of service.
OSV
CVE-2021-40797: An issue was discovered in the routes middleware in OpenStack Neutron before 16
osv·2021-09-08·CVSS 6.5
CVE-2021-40797 [MEDIUM] CVE-2021-40797: An issue was discovered in the routes middleware in OpenStack Neutron before 16
An issue was discovered in the routes middleware in OpenStack Neutron before 16.4.1, 17.x before 17.2.1, and 18.x before 18.1.1. By making API requests involving nonexistent controllers, an authenticated user may cause the API worker to consume increasing amounts of memory, resulting in API performance degradation or denial of service.
Ubuntu
OpenStack Neutron vulnerabilities
vendor_ubuntu·2023-05-10·CVSS 7.1
CVE-2021-20267 [HIGH] OpenStack Neutron vulnerabilities
Title: OpenStack Neutron vulnerabilities
Summary: Several security issues were fixed in OpenStack Neutron.
David Sinquin discovered that OpenStack Neutron incorrectly handled the
default Open vSwitch firewall rules. An attacker could possibly use this
issue to impersonate the IPv6 addresses of other systems on the network.
This issue only affected Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS.
(CVE-2021-20267)
Jake Yip and Justin Mammarella discovered that OpenStack Neutron
incorrectly handled the linuxbridge driver when ebtables-nft is being
used. An attacker could possibly use this issue to impersonate the hardware
addresss of other systems on the network. This issue only affected Ubuntu
18.04 LTS, and Ubuntu 20.04 LTS. (CVE-2021-38598)
Pavel Toporkov discovered that OpenStack Neutron incor
Red Hat
openstack-neutron: Routes middleware memory leak for nonexistent controllers
vendor_redhat·2021-09-08·CVSS 6.5
CVE-2021-40797 [MEDIUM] CWE-770 openstack-neutron: Routes middleware memory leak for nonexistent controllers
openstack-neutron: Routes middleware memory leak for nonexistent controllers
An issue was discovered in the routes middleware in OpenStack Neutron before 16.4.1, 17.x before 17.2.1, and 18.x before 18.1.1. By making API requests involving nonexistent controllers, an authenticated user may cause the API worker to consume increasing amounts of memory, resulting in API performance degradation or denial of service.
A resource-allocation flaw was found in openstack-neutron. An authenticated attacker could make API requests involving nonexistent controllers causing the API worker to consume increasing amounts of memory. This flaw could be exploited to force API performance degradation or denial of service.
Mitigation: Mitigation for this issue is either not available or the currently availabl
Debian
CVE-2021-40797: neutron - An issue was discovered in the routes middleware in OpenStack Neutron before 16....
vendor_debian·2021·CVSS 6.5
CVE-2021-40797 [MEDIUM] CVE-2021-40797: neutron - An issue was discovered in the routes middleware in OpenStack Neutron before 16....
An issue was discovered in the routes middleware in OpenStack Neutron before 16.4.1, 17.x before 17.2.1, and 18.x before 18.1.1. By making API requests involving nonexistent controllers, an authenticated user may cause the API worker to consume increasing amounts of memory, resulting in API performance degradation or denial of service.
Scope: local
bookworm: resolved (fixed in 2:19.0.0-1)
bullseye: resolved (fixed in 2:17.2.1-0+deb11u1)
forky: resolved (fixed in 2:19.0.0-1)
sid: resolved (fixed in 2:19.0.0-1)
trixie: resolved (fixed in 2:19.0.0-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2021-09-08
Published