Vulnerabilities > CVE-2021-38155 - Improper Restriction of Excessive Authentication Attempts vulnerability in Openstack Keystone

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

NONE

Availability impact

NONE

network

low complexity

openstack

CWE-307

NVD

Published: 2021-08-06

Updated: 2024-01-21

Summary

OpenStack Keystone 10.x through 16.x before 16.0.2, 17.x before 17.0.1, 18.x before 18.0.1, and 19.x before 19.0.1 allows information disclosure during account locking (related to PCI DSS features). By guessing the name of an account and failing to authenticate multiple times, any unauthenticated actor could both confirm the account exists and obtain that account's corresponding UUID, which might be leveraged for other unrelated attacks. All deployments enabling security_compliance.lockout_failure_attempts are affected.

Vulnerable Configurations

Part	Description	Count
Application	Openstack Openstack Keystone 19.0.0 Openstack Keystone 19.0.0.0 Openstack Keystone 18.0.0 Openstack Keystone 18.0.0.0 Openstack Keystone 10.0.0 Openstack Keystone 10.0.1 Openstack Keystone 10.0.2 Openstack Keystone 10.0.3 Openstack Keystone 11.0.0 Openstack Keystone 11.0.1 Openstack Keystone 11.0.2 Openstack Keystone 11.0.3 Openstack Keystone 11.0.4 Openstack Keystone 12.0.0 Openstack Keystone 12.0.1 Openstack Keystone 12.0.2 Openstack Keystone 12.0.3 Openstack Keystone 13.0.0 Openstack Keystone 13.0.1 Openstack Keystone 13.0.2 Openstack Keystone 14.0.0 Openstack Keystone 14.0.1 Openstack Keystone 14.1.0 Openstack Keystone 15.0.0 Openstack Keystone 15.0.1 Openstack Keystone 16.0.0 Openstack Keystone 16.0.0.0 Openstack Keystone 16.0.1 Openstack Keystone 17.0.0 Openstack Keystone 17.0.0.0	57

Common Weakness Enumeration (CWE)

CWE-307 - Improper Restriction of Excessive Authentication Attempts

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References