47 lines
1.1 KiB
YAML
47 lines
1.1 KiB
YAML
date: 2021-08-10
|
|
|
|
id: OSSA-2021-003
|
|
|
|
title: Account name and UUID oracles in account locking
|
|
|
|
description: >
|
|
Samuel de Medeiros Queiroz with Oi Cloud reported a vulnerability affecting
|
|
Keystone account locking. By guessing the name of an account and failing to
|
|
authenticate multiple times, any unauthenticated actor could both confirm the
|
|
account exists and obtain that account's corresponding UUID, which might be
|
|
leveraged for other unrelated attacks. All Keystone deployments enabling
|
|
security_compliance.lockout_failure_attempts are affected.
|
|
|
|
affected-products:
|
|
- product: Keystone
|
|
version: '>=10.0.0 <16.0.2, >=17.0.0 <17.0.1, >=18.0.0 <18.0.1, >=19.0.0 <19.0.1'
|
|
|
|
vulnerabilities:
|
|
- cve-id: CVE-2021-38155
|
|
|
|
reporters:
|
|
- name: Samuel de Medeiros Queiroz
|
|
affiliation: Oi Cloud
|
|
reported:
|
|
- CVE-2021-38155
|
|
|
|
issues:
|
|
links:
|
|
- https://launchpad.net/bugs/1688137
|
|
|
|
reviews:
|
|
xena:
|
|
- https://review.opendev.org/759940
|
|
|
|
wallaby:
|
|
- https://review.opendev.org/790440
|
|
|
|
victoria:
|
|
- https://review.opendev.org/790442
|
|
|
|
ussuri:
|
|
- https://review.opendev.org/790443
|
|
|
|
train:
|
|
- https://review.opendev.org/790444
|