CVE-2021-3563Incorrect Authorization in Keystone

CWE-863Incorrect Authorization9 documents7 sources
Severity
7.4HIGHNVD
EPSS
0.1%
top 82.42%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Openstack KeystoneDebian LinuxRedhat Openstack Platform
Timeline
PublishedAug 26
Latest updateDec 11

Description

A flaw was found in openstack-keystone. Only the first 72 characters of an application secret are verified allowing attackers bypass some password complexity which administrators may be counting on. The highest threat from this vulnerability is to data confidentiality and integrity.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 2.2 | Impact: 5.2

Affected Packages5 packages

Debianopenstack/keystone< 2:23.0.0-3+1
Ubuntuopenstack/keystone< 2:21.0.1-0ubuntu2.1
PyPIopenstack/keystone21.0.0
CVEListV5openstack/keystoneNot-known
NVDredhat/openstack_platform4 versions+3

Also affects: Debian Linux 10.0, 11.0

🔴Vulnerability Details

5
OSV
keystone vulnerabilities2025-12-11
GHSA
Openstack Keystone Incorrect Authorization vulnerability2022-08-27
OSV
Openstack Keystone Incorrect Authorization vulnerability2022-08-27
CVEList
CVE-2021-3563: A flaw was found in openstack-keystone2022-08-26
OSV
CVE-2021-3563: A flaw was found in openstack-keystone2022-08-26

📋Vendor Advisories

3
Ubuntu
OpenStack Keystone vulnerabilities2025-12-11
Red Hat
Keystone: Verification of application credentials is silently length-limited2021-02-17
Debian
CVE-2021-3563: keystone - A flaw was found in openstack-keystone. Only the first 72 characters of an appli...2021
CVE-2021-3563 — Incorrect Authorization in Keystone | cvebase