← Back

CVE-2021-38155

nvd nist
Published: Aug 6, 2021Modified: Nov 21, 2024

JSON object

Loading...
7.5
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Exploitability: 3.9 / Impact: 3.6
Source: NVD

Description

OpenStack Keystone 10.x through 16.x before 16.0.2, 17.x before 17.0.1, 18.x before 18.0.1, and 19.x before 19.0.1 allows information disclosure during account locking (related to PCI DSS features). By guessing the name of an account and failing to authenticate multiple times, any unauthenticated actor could both confirm the account exists and obtain that account's corresponding UUID, which might be leveraged for other unrelated attacks. All deployments enabling security_compliance.lockout_failure_attempts are affected.

Affected (4)

Products: Openstack: Keystone
Openstack
1 product
Keystone
Configuration A
4 vulnerable
Vulnerable SoftwareAffected Versions
Openstack
Keystone
From 10.0.0 to 16.0.2
Keystone
From 17.0.0 to 17.0.1
Keystone
From 18.0.0 to 18.0.1
Keystone
From 19.0.0 to 19.0.1

Related CWEs

CWE-307
Improper Restriction of Excessive Authentication Attempts
The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks.

References (8)

Source: cve@mitre.org
Mailing ListPatchThird Party Advisory
Source: cve@mitre.org
ExploitIssue TrackingPatchThird Party Advisory
Source: cve@mitre.org
Source: cve@mitre.org
PatchVendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing ListPatchThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
ExploitIssue TrackingPatchThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
PatchVendor Advisory

Timeline

No history available yet.