CVE-2021-40797
unknown
CVSS v3
—
CVSS v2
—
VIR risk
—
Description
An issue was discovered in the routes middleware in OpenStack Neutron before 16.4.1, 17.x before 17.2.1, and 18.x before 18.1.1. By making API requests involving nonexistent controllers, an authenticated user may cause the API worker to consume increasing amounts of memory, resulting in API performance degradation or denial of service.
Predictions
Exploit likelihood
30%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2021-40797
Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2021-40797.html
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| sles | affected | | |
| debian | bookworm | fixed | 2:19.0.0-1 |
| debian | bullseye | fixed | 2:17.2.1-0+deb11u1 |
| debian | forky | fixed | 2:19.0.0-1 |
| debian | sid | fixed | 2:19.0.0-1 |
| debian | trixie | fixed | 2:19.0.0-1 |
References
- https://nvd.nist.gov/vuln/detail/CVE-2021-40797
- https://github.com/openstack/neutron/commit/e610a5eb9e71aa2549fb11e2139370d227787da2
- https://github.com/openstack/neutron
- https://github.com/pypa/advisory-database/tree/main/vulns/neutron/PYSEC-2021-329.yaml
- https://launchpad.net/bugs/1942179
- https://security.openstack.org/ossa/OSSA-2021-006.html
- http://www.openwall.com/lists/oss-security/2021/09/09/2
- https://www.suse.com/security/cve/CVE-2021-40797.html
- https://security-tracker.debian.org/tracker/CVE-2021-40797
Verify integrity in audit chain (admin only). AS-IS.