Vulnerability Details : CVE-2021-38155
OpenStack Keystone 10.x through 16.x before 16.0.2, 17.x before 17.0.1, 18.x before 18.0.1, and 19.x before 19.0.1 allows information disclosure during account locking (related to PCI DSS features). By guessing the name of an account and failing to authenticate multiple times, any unauthenticated actor could both confirm the account exists and obtain that account's corresponding UUID, which might be leveraged for other unrelated attacks. All deployments enabling security_compliance.lockout_failure_attempts are affected.
Vulnerability category: Information leak
Products affected by CVE-2021-38155
- cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-38155
0.20%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 57 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-38155
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2021-38155
-
The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.Assigned by: nvd@nist.gov (Primary)
References for CVE-2021-38155
-
https://security.openstack.org/ossa/OSSA-2021-003.html
OSSA-2021-003: Account name and UUID oracles in account locking — OpenStack Security Advisories 0.0.1.dev239 documentationPatch;Vendor Advisory
-
http://www.openwall.com/lists/oss-security/2021/08/10/5
oss-security - [OSSA-2021-003] Keystone: Account name and UUID oracles in account locking (CVE-2021-38155)Mailing List;Patch;Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2024/01/msg00007.html
[SECURITY] [DLA 3714-1] keystone security update
-
https://launchpad.net/bugs/1688137
Bug #1688137 “Account name and UUID oracles in account locking (...” : Bugs : OpenStack Identity (keystone)Exploit;Issue Tracking;Patch;Third Party Advisory
Jump to