CVE-2021-40797

NameCVE-2021-40797
DescriptionAn issue was discovered in the routes middleware in OpenStack Neutron before 16.4.1, 17.x before 17.2.1, and 18.x before 18.1.1. By making API requests involving nonexistent controllers, an authenticated user may cause the API worker to consume increasing amounts of memory, resulting in API performance degradation or denial of service.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium
Debian Bugs994202

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
neutron (PTS)stretch (security), stretch2:9.1.1-3+deb9u1vulnerable
buster2:13.0.2-15vulnerable
bullseye2:17.1.1-6vulnerable
bookworm, sid2:18.1.0-3vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
neutronsource(unstable)(unfixed)unimportant994202

Notes

https://launchpad.net/bugs/1942179
neutron-api in Debian is served over UWSGI, cf. https://bugs.debian.org/994202
and so serves the requests and stops the process.

Search for package or bug name: Reporting problems