CVE-2021-38155
OpenStack Keystone 10.x through 16.x before 16.0.2, 17.x before 17.0.1, 18.x before 18.0.1, and 19.x before 19.0.1 allows information disclosure during account locking (related to PCI DSS features). By guessing the name of an account and failing to authenticate multiple times, any unauthenticated actor could both confirm the account exists and obtain that account's corresponding UUID, which might be leveraged for other unrelated attacks. All deployments enabling security_compliance.lockout_failure_attempts are affected.
Published
2021-08-06T21:15:06.687
Last Modified
2024-11-21T06:16:30.520
Status
Modified
Source
[email protected]
Severity
CVSSv3.1: 7.5 (HIGH)
CVSSv2 Vector
AV:N/AC:L/Au:N/C:P/I:N/A:N
- Access Vector: NETWORK
- Access Complexity: LOW
- Authentication: NONE
- Confidentiality Impact: PARTIAL
- Integrity Impact: NONE
- Availability Impact: NONE
Exploitability Score
10.0
Impact Score
2.9
Weaknesses
Affected Vendors & Products
References
-
http://www.openwall.com/lists/oss-security/2021/08/10/5
Mailing List, Patch, Third Party Advisory
([email protected])
-
https://launchpad.net/bugs/1688137
Exploit, Issue Tracking, Patch, Third Party Advisory
([email protected])
-
https://lists.debian.org/debian-lts-announce/2024/01/msg00007.html
([email protected])
-
https://security.openstack.org/ossa/OSSA-2021-003.html
Patch, Vendor Advisory
([email protected])
-
http://www.openwall.com/lists/oss-security/2021/08/10/5
Mailing List, Patch, Third Party Advisory
(af854a3a-2127-422b-91ae-364da2661108)
-
https://launchpad.net/bugs/1688137
Exploit, Issue Tracking, Patch, Third Party Advisory
(af854a3a-2127-422b-91ae-364da2661108)
-
https://lists.debian.org/debian-lts-announce/2024/01/msg00007.html
(af854a3a-2127-422b-91ae-364da2661108)
-
https://security.openstack.org/ossa/OSSA-2021-003.html
Patch, Vendor Advisory
(af854a3a-2127-422b-91ae-364da2661108)