CVE-2021-40797

An issue was discovered in the routes middleware in OpenStack Neutron before 16.4.1, 17.x before 17.2.1, and 18.x before 18.1.1. By making API requests involving nonexistent controllers, an authenticated user may cause the API worker to consume increasing amounts of memory, resulting in API performance degradation or denial of service.

References

Affected packages

Debian:11 / neutron

Package

Name: neutron
Purl: pkg:deb/debian/neutron?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2:17.2.1-0+deb11u1

Affected versions

2:17.*

2:17.1.1-6

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / neutron

Package

Name: neutron
Purl: pkg:deb/debian/neutron?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2:19.0.0-1

Ecosystem specific

{
    "urgency": "unimportant"
}

Debian:13 / neutron

Package

Name: neutron
Purl: pkg:deb/debian/neutron?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2:19.0.0-1

Ecosystem specific

{
    "urgency": "unimportant"
}

Git / github.com/openstack/neutron

Affected ranges

Type: GIT
Repo: https://github.com/openstack/neutron
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

6a761dc42da99625bb18b4aabf4e2b340396c78c