CVE-2021-38155

CWE-3076 documents5 sources

Severity

7.5HIGH

EPSS

0.7%

top 27.16%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openstack Keystone

Timeline

PublishedAug 6

Latest updateMay 24

Description

OpenStack Keystone 10.x through 16.x before 16.0.2, 17.x before 17.0.1, 18.x before 18.0.1, and 19.x before 19.0.1 allows information disclosure during account locking (related to PCI DSS features). By guessing the name of an account and failing to authenticate multiple times, any unauthenticated actor could both confirm the account exists and obtain that account's corresponding UUID, which might be leveraged for other unrelated attacks. All deployments enabling security_compliance.lockout_failu…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶NVDopenstack/keystone10.0.0 — 16.0.2+3

▶PyPIkeystone10.0 — 16.0.2+3

▶Debiankeystone< 2:18.0.0-3+deb11u1+3

Patches

Patch: www.openwall.com ↗Patch: launchpad.net ↗Patch: security.openstack.org ↗

🔴Vulnerability Details

OSV

OpenStack Keystone allows information disclosure during account locking↗2022-05-24

▶

GHSA

OpenStack Keystone allows information disclosure during account locking↗2022-05-24

▶

OSV

CVE-2021-38155: OpenStack Keystone 10↗2021-08-06

▶

CVEList

CVE-2021-38155: OpenStack Keystone 10↗2021-08-06

▶

📋Vendor Advisories

Debian

CVE-2021-38155: keystone - OpenStack Keystone 10.x through 16.x before 16.0.2, 17.x before 17.0.1, 18.x bef...↗2021

▶