GHSA-4225-97pr-rr52

Suggest an improvement
Source
https://github.com/advisories/GHSA-4225-97pr-rr52
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-4225-97pr-rr52/GHSA-4225-97pr-rr52.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-4225-97pr-rr52
Aliases
Published
2022-05-24T19:10:15Z
Modified
2024-05-14T17:42:02.571280Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
OpenStack Keystone allows information disclosure during account locking
Details

OpenStack Keystone 10.x through 16.x before 16.0.2, 17.x before 17.0.1, 18.x before 18.0.1, and 19.x before 19.0.1 allows information disclosure during account locking (related to PCI DSS features). By guessing the name of an account and failing to authenticate multiple times, any unauthenticated actor could both confirm the account exists and obtain that account's corresponding UUID, which might be leveraged for other unrelated attacks. All deployments enabling securitycompliance.lockoutfailure_attempts are affected.

References

Affected packages

PyPI / keystone

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
10.0
Fixed
16.0.2

Affected versions

12.*

12.0.2
12.0.3

13.*

13.0.2
13.0.3
13.0.4

14.*

14.0.0
14.0.1
14.1.0
14.2.0

15.*

15.0.0.0rc1
15.0.0.0rc2
15.0.0
15.0.1

16.*

16.0.0.0rc1
16.0.0.0rc2
16.0.0
16.0.1

PyPI / keystone

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
17.0
Fixed
17.0.1

Affected versions

17.*

17.0.0

PyPI / keystone

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
18.0
Fixed
18.0.1

Affected versions

18.*

18.0.0

PyPI / keystone

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
19.0
Fixed
19.0.1

Affected versions

19.*

19.0.0