CVE-2021-40797
6.5 MEDIUMAn issue was discovered in the routes middleware in OpenStack Neutron before 16.4.1, 17.x before 17.2.1, and 18.x before 18.1.1
Published: 2021-09-08 · Last updated: 2026-06-17
Severity and scoring
- CVSS
- 6.5 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- CWE
- CWE-772
Affected products
| Vendor | Product |
|---|---|
| openstack | neutron |
Description
An issue was discovered in the routes middleware in OpenStack Neutron before 16.4.1, 17.x before 17.2.1, and 18.x before 18.1.1. By making API requests involving nonexistent controllers, an authenticated user may cause the API worker to consume increasing amounts of memory, resulting in API performance degradation or denial of service.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2021-40797
- [Patch]http://www.openwall.com/lists/oss-security/2021/09/09/2
- [Exploit reference]https://launchpad.net/bugs/1942179
- [Patch]https://security.openstack.org/ossa/OSSA-2021-006.html
- [Patch]http://www.openwall.com/lists/oss-security/2021/09/09/2
- [Exploit reference]https://launchpad.net/bugs/1942179
- [Patch]https://security.openstack.org/ossa/OSSA-2021-006.html
Related CVEs
Same vendor
- CVE-2026-50589 — In OpenStack Ironic 32 before 37.0.0, an unauthenticated malicious user could submit a crafted JSON string to some endpoints on the API o... (5.3 MEDIUM)
- CVE-2026-48681 — OpenStack Ironic through before 35.0.2 allows file overwrite via directory traversal during deployment with a crafted ISO image (5.9 MEDIUM)
- CVE-2026-44917 — OpenStack Ironic before 35.0.2 allows a malicious authenticated project admin or manager to read local files on the Ironic conductor via ... (4.9 MEDIUM)
- CVE-2026-46447 — OpenStack Ironic before 35.0.2 allows Boot Script Injection of an iPXE script if the attacker can set node.driver_info or node.instance_info (5.8 MEDIUM)
- CVE-2026-44394 — An issue was discovered in OpenStack Keystone before 29.0.2 (6.0 MEDIUM)
Same CWE
- CVE-2026-45536 — Netty is a network application framework for development of protocol servers and clients (4.0 MEDIUM)
- CVE-2026-45287 — OpenTelemetry-Go is the Go implementation of OpenTelemetry
- CVE-2026-9156 — Tanium addressed a denial of service vulnerability in Tanium Server (6.5 MEDIUM)
- CVE-2026-42577 — Netty is an asynchronous, event-driven network application framework (7.5 HIGH)
- CVE-2026-3104 — A specially crafted domain can be used to cause a memory leak in a BIND resolver simply by querying this domain (7.5 HIGH)