7.5

CVE-2021-38155

Exploit
OpenStack Keystone 10.x through 16.x before 16.0.2, 17.x before 17.0.1, 18.x before 18.0.1, and 19.x before 19.0.1 allows information disclosure during account locking (related to PCI DSS features). By guessing the name of an account and failing to authenticate multiple times, any unauthenticated actor could both confirm the account exists and obtain that account's corresponding UUID, which might be leveraged for other unrelated attacks. All deployments enabling security_compliance.lockout_failure_attempts are affected.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
OpenstackKeystone Version >= 10.0.0 < 16.0.2
OpenstackKeystone Version >= 17.0.0 < 17.0.1
OpenstackKeystone Version >= 18.0.0 < 18.0.1
OpenstackKeystone Version >= 19.0.0 < 19.0.1
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 2.46% 0.823
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov 5 10 2.9
AV:N/AC:L/Au:N/C:P/I:N/A:N
CWE-307 Improper Restriction of Excessive Authentication Attempts

The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.

http://www.openwall.com/lists/oss-security/2021/08/10/5
Patch
Third Party Advisory
Mailing List
https://launchpad.net/bugs/1688137
Patch
Third Party Advisory
Exploit
Issue Tracking
https://lists.debian.org/debian-lts-announce/2024/01/msg00007.html
https://security.openstack.org/ossa/OSSA-2021-003.html
Patch
Vendor Advisory