[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[oss-security] [OSSA-2021-003] Keystone: Account name and UUID oracles in account locking (CVE-2021-38155)

OSSA-2021-003: Account name and UUID oracles in account locking

:Date: August 10, 2021
:CVE: CVE-2021-38155

- Keystone: >=10.0.0 <16.0.2, >=17.0.0 <17.0.1, >=18.0.0 <18.0.1, >=19.0.0 <19.0.1

Samuel de Medeiros Queiroz with Oi Cloud reported a vulnerability
affecting Keystone account locking. By guessing the name of an
account and failing to authenticate multiple times, any
unauthenticated actor could both confirm the account exists and
obtain that account's corresponding UUID, which might be leveraged
for other unrelated attacks. All Keystone deployments enabling
security_compliance.lockout_failure_attempts are affected.

- https://review.opendev.org/790444 (Train)
- https://review.opendev.org/790443 (Ussuri)
- https://review.opendev.org/790442 (Victoria)
- https://review.opendev.org/790440 (Wallaby)
- https://review.opendev.org/759940 (Xena)

- Samuel de Medeiros Queiroz from Oi Cloud (CVE-2021-38155)

- https://launchpad.net/bugs/1688137
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38155

Jeremy Stanley

Attachment: signature.asc
Description: PGP signature