6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-40797

GHSA ID

GHSA-cpx3-696p-3cw9

EPSS Score

0.56361%

CWE

CWE-772

Published

5/24/2022

Updated

9/25/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-40797

CVE-2021-40797: OpenStack Neutron Denial of Service vulnerability

An issue was discovered in the routes middleware in OpenStack Neutron before 16.4.1, 17.x before 17.2.1, and 18.x before 18.1.1. By making API requests involving nonexistent controllers, an authenticated user may cause the API worker to consume increasing amounts of memory, resulting in API performance degradation or denial of service.

(GitHub Advisory)

6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-40797

GHSA ID

GHSA-cpx3-696p-3cw9

EPSS Score

0.56361%

CWE

CWE-772

Published

5/24/2022

Updated

9/25/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
neutron	pip	< 16.4.1	16.4.1
neutron	pip	>= 17.0.0, < 17.2.1	17.2.1
neutron	pip	>= 18.0.0, < 18.1.1	18.1.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from the use of routes.middleware.RoutesMiddleware with singleton=True in Neutron's API middleware stack. The commit e610a5eb9 explicitly fixes this by setting singleton=False. The singleton=True configuration caused thread-local storage (via _RequestConfig) to accumulate indefinitely when processing invalid API requests due to incompatibility with eventlet's monkeypatched threading.local implementation. This matches the CWE-772 (resource retention) description and the patch's focus on this parameter change.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in t** rout*s mi**l*w*r* in Op*nSt**k N*utron ***or* **.*.*, **.x ***or* **.*.*, *n* **.x ***or* **.*.*. *y m*kin* *PI r*qu*sts involvin* non*xist*nt *ontroll*rs, *n *ut**nti**t** us*r m*y **us* t** *PI work*r to *onsum* in*r*

Reasoning

T** vuln*r**ility st*mm** *rom t** us* o* `rout*s.mi**l*w*r*.Rout*sMi**l*w*r*` wit* sin*l*ton=Tru* in N*utron's *PI mi**l*w*r* st**k. T** *ommit ********* *xpli*itly *ix*s t*is *y s*ttin* sin*l*ton=**ls*. T** sin*l*ton=Tru* *on*i*ur*tion **us** t*r**

6.5

Basic Information

Concerned about an active attack path?

CVE-2021-40797: OpenStack Neutron Denial of Service vulnerability

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI