7.5

CVE-2021-38155

Exploit

OpenStack Keystone 10.x through 16.x before 16.0.2, 17.x before 17.0.1, 18.x before 18.0.1, and 19.x before 19.0.1 allows information disclosure during account locking (related to PCI DSS features). By guessing the name of an account and failing to authenticate multiple times, any unauthenticated actor could both confirm the account exists and obtain that account's corresponding UUID, which might be leveraged for other unrelated attacks. All deployments enabling security_compliance.lockout_failure_attempts are affected.

Data is provided by the National Vulnerability Database (NVD)
OpenstackKeystone Version >= 10.0.0 < 16.0.2
OpenstackKeystone Version >= 17.0.0 < 17.0.1
OpenstackKeystone Version >= 18.0.0 < 18.0.1
OpenstackKeystone Version >= 19.0.0 < 19.0.1
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 1.07% 0.77
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov 5 10 2.9
AV:N/AC:L/Au:N/C:P/I:N/A:N
CWE-307 Improper Restriction of Excessive Authentication Attempts

The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.

http://www.openwall.com/lists/oss-security/2021/08/10/5
Patch
Third Party Advisory
Mailing List
https://launchpad.net/bugs/1688137
Patch
Third Party Advisory
Exploit
Issue Tracking