Published: 06/08/2021 Updated: 21/01/2024

CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10

CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9

VMScore: 445

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

OpenStack Keystone 10.x up to and including 16.x prior to 16.0.2, 17.x prior to 17.0.1, 18.x prior to 18.0.1, and 19.x prior to 19.0.1 allows information disclosure during account locking (related to PCI DSS features). By guessing the name of an account and failing to authenticate multiple times, any unauthenticated actor could both confirm the account exists and obtain that account's corresponding UUID, which might be leveraged for other unrelated attacks. All deployments enabling security_compliance.lockout_failure_attempts are affected.

Vulnerable Product	Search on Vulmon	Subscribe to Product
openstack keystone

Debian Bug report logs - #992070 keystone: CVE-2021-38155: Account name and UUID oracles in account locking Package: src:keystone; Maintainer for src:keystone is Debian OpenStack <team+openstack@trackerdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Tue, 10 Aug 2021 16:12:02 UTC Severity: im ...

oss-sec mailing list archives   By Date By Thread </form>    [OSSA-2021-003] Keystone: Account name and UUID oracles in account locking (CVE-2021-38155)  <!--X- ...

CWE-307 https://launchpad.net/bugs/1688137 https://security.openstack.org/ossa/OSSA-2021-003.html http://www.openwall.com/lists/oss-security/2021/08/10/5 https://lists.debian.org/debian-lts-announce/2024/01/msg00007.html https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992070 https://nvd.nist.gov

CVE-2021-38155

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Mailing Lists

References

Vulmon Search

About

Products

Connect