{"api_version":"1","generated_at":"2026-04-23T11:35:22+00:00","cve":"CVE-2021-40797","urls":{"html":"https://cve.report/CVE-2021-40797","api":"https://cve.report/api/cve/CVE-2021-40797.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-40797","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-40797"},"summary":{"title":"CVE-2021-40797","description":"An issue was discovered in the routes middleware in OpenStack Neutron before 16.4.1, 17.x before 17.2.1, and 18.x before 18.1.1. By making API requests involving nonexistent controllers, an authenticated user may cause the API worker to consume increasing amounts of memory, resulting in API performance degradation or denial of service.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2021-09-08 20:15:00","updated_at":"2021-09-15 19:01:00"},"problem_types":["CWE-772"],"metrics":[],"references":[{"url":"http://www.openwall.com/lists/oss-security/2021/09/09/2","name":"[oss-security] 20210909 [OSSA-2021-006] Neutron: Routes middleware memory leak for nonexistent controllers (CVE-2021-40797)","refsource":"MLIST","tags":[],"title":"oss-security - [OSSA-2021-006] Neutron: Routes middleware memory leak for\n nonexistent controllers (CVE-2021-40797)","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://launchpad.net/bugs/1942179","name":"https://launchpad.net/bugs/1942179","refsource":"MISC","tags":[],"title":"Bug #1942179 “neutron api worker leaks memory when processing re...” : Bugs : neutron","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security.openstack.org/ossa/OSSA-2021-006.html","name":"https://security.openstack.org/ossa/OSSA-2021-006.html","refsource":"CONFIRM","tags":[],"title":"OSSA-2021-006: Routes middleware memory leak for nonexistent controllers — OpenStack Security Advisories 0.0.1.dev242 documentation","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-40797","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-40797","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"40797","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"openstack","cpe5":"neutron","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2021-40797","qid":"180368","title":"Debian Security Update for neutron (CVE-2021-40797)"},{"cve":"CVE-2021-40797","qid":"199327","title":"Ubuntu Security Notification for OpenStack Neutron Vulnerabilities (USN-6067-1)"},{"cve":"CVE-2021-40797","qid":"240175","title":"Red Hat Update for OpenStack Platform 16.1 (RHSA-2022:0990)"},{"cve":"CVE-2021-40797","qid":"240179","title":"Red Hat Update for OpenStack Platform 16.2 (RHSA-2022:0996)"},{"cve":"CVE-2021-40797","qid":"997504","title":"Python (Pip) Security Update for neutron (GHSA-cpx3-696p-3cw9)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2021-40797","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"An issue was discovered in the routes middleware in OpenStack Neutron before 16.4.1, 17.x before 17.2.1, and 18.x before 18.1.1. By making API requests involving nonexistent controllers, an authenticated user may cause the API worker to consume increasing amounts of memory, resulting in API performance degradation or denial of service."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"url":"https://launchpad.net/bugs/1942179","refsource":"MISC","name":"https://launchpad.net/bugs/1942179"},{"refsource":"CONFIRM","name":"https://security.openstack.org/ossa/OSSA-2021-006.html","url":"https://security.openstack.org/ossa/OSSA-2021-006.html"},{"refsource":"MLIST","name":"[oss-security] 20210909 [OSSA-2021-006] Neutron: Routes middleware memory leak for nonexistent controllers (CVE-2021-40797)","url":"http://www.openwall.com/lists/oss-security/2021/09/09/2"}]}},"nvd":{"publishedDate":"2021-09-08 20:15:00","lastModifiedDate":"2021-09-15 19:01:00","problem_types":["CWE-772"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH","baseScore":6.5,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.8,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:N/I:N/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"PARTIAL","baseScore":4},"severity":"MEDIUM","exploitabilityScore":8,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:openstack:neutron:*:*:*:*:*:*:*:*","versionEndExcluding":"16.4.1","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:openstack:neutron:*:*:*:*:*:*:*:*","versionStartIncluding":"18.0.0","versionEndExcluding":"18.1.1","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:openstack:neutron:*:*:*:*:*:*:*:*","versionStartIncluding":"17.0.0","versionEndExcluding":"17.2.1","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"40797","Ordinal":"216550","Title":"CVE-2021-40797","CVE":"CVE-2021-40797","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"40797","Ordinal":"1","NoteData":"An issue was discovered in the routes middleware in OpenStack Neutron before 16.4.1, 17.x before 17.2.1, and 18.x before 18.1.1. By making API requests involving nonexistent controllers, an authenticated user may cause the API worker to consume increasing amounts of memory, resulting in API performance degradation or denial of service.","Type":"Description","Title":null},{"CveYear":"2021","CveId":"40797","Ordinal":"2","NoteData":"2021-09-08","Type":"Other","Title":"Published"},{"CveYear":"2021","CveId":"40797","Ordinal":"3","NoteData":"2021-09-09","Type":"Other","Title":"Modified"}]}}}