CVE-2021-40797

EUVD-2021-0143
An issue was discovered in the routes middleware in OpenStack Neutron before 16.4.1, 17.x before 17.2.1, and 18.x before 18.1.1. By making API requests involving nonexistent controllers, an authenticated user may cause the API worker to consume increasing amounts of memory, resulting in API performance degradation or denial of service.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.5 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 59%
Affected Products (NVD)
VendorProductVersion
openstackneutron
𝑥
< 16.4.1
openstackneutron
17.0.0 ≤
𝑥
< 17.2.1
openstackneutron
18.0.0 ≤
𝑥
< 18.1.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
neutron
bookworm
2:21.0.0-7
fixed
bullseye
2:17.2.1-0+deb11u1
fixed
bullseye (security)
2:17.2.1-0+deb11u1
fixed
sid
2:25.0.0-1
fixed
trixie
2:25.0.0-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
neutron
bionic
Fixed 2:12.1.1-0ubuntu8.1
released
focal
Fixed 2:16.4.2-0ubuntu6.2
released
hirsute
ignored
impish
not-affected
jammy
not-affected
kinetic
not-affected
lunar
not-affected
mantic
not-affected
noble
not-affected
trusty
dne
xenial
needs-triage
Common Weakness Enumeration
References
http://www.openwall.com/lists/oss-security/2021/09/09/2
https://launchpad.net/bugs/1942179
https://security.openstack.org/ossa/OSSA-2021-006.html
http://www.openwall.com/lists/oss-security/2021/09/09/2
https://launchpad.net/bugs/1942179
https://security.openstack.org/ossa/OSSA-2021-006.html