Vulnerability Details : CVE-2021-40797
An issue was discovered in the routes middleware in OpenStack Neutron before 16.4.1, 17.x before 17.2.1, and 18.x before 18.1.1. By making API requests involving nonexistent controllers, an authenticated user may cause the API worker to consume increasing amounts of memory, resulting in API performance degradation or denial of service.
Vulnerability category: Denial of service
Products affected by CVE-2021-40797
- cpe:2.3:a:openstack:neutron:*:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:neutron:*:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:neutron:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-40797
0.08%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 38 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-40797
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.0
|
MEDIUM | AV:N/AC:L/Au:S/C:N/I:N/A:P |
8.0
|
2.9
|
NIST | |
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
2.8
|
3.6
|
NIST |
CWE ids for CVE-2021-40797
-
The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.Assigned by: nvd@nist.gov (Primary)
References for CVE-2021-40797
-
http://www.openwall.com/lists/oss-security/2021/09/09/2
oss-security - [OSSA-2021-006] Neutron: Routes middleware memory leak for nonexistent controllers (CVE-2021-40797)Mailing List;Patch;Third Party Advisory
-
https://launchpad.net/bugs/1942179
Bug #1942179 “Routes middleware memory leak for nonexistent cont...” : Bugs : neutronExploit;Issue Tracking;Third Party Advisory
-
https://security.openstack.org/ossa/OSSA-2021-006.html
OSSA-2021-006: Routes middleware memory leak for nonexistent controllers — OpenStack Security Advisories 0.0.1.dev242 documentationPatch;Vendor Advisory
Jump to