CVE-2021-38155
First published: Fri Aug 06 2021(Updated: )
OpenStack Keystone 10.x through 16.x before 16.0.2, 17.x before 17.0.1, 18.x before 18.0.1, and 19.x before 19.0.1 allows information disclosure during account locking (related to PCI DSS features). By guessing the name of an account and failing to authenticate multiple times, any unauthenticated actor could both confirm the account exists and obtain that account's corresponding UUID, which might be leveraged for other unrelated attacks. All deployments enabling security_compliance.lockout_failure_attempts are affected.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| OpenStack Keystone | >=10.0.0<16.0.2 | |
| OpenStack Keystone | >=17.0.0<17.0.1 | |
| OpenStack Keystone | >=18.0.0<18.0.1 | |
| OpenStack Keystone | >=19.0.0<19.0.1 | |
| pip/keystone | >=19.0<19.0.1 | 19.0.1 |
| pip/keystone | >=18.0<18.0.1 | 18.0.1 |
| pip/keystone | >=17.0<17.0.1 | 17.0.1 |
| pip/keystone | >=10.0<16.0.2 | 16.0.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.openwall.com/lists/oss-security/2021/08/10/5
- https://launchpad.net/bugs/1688137
- https://security.openstack.org/ossa/OSSA-2021-003.html
- https://lists.debian.org/debian-lts-announce/2024/01/msg00007.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-38155
- https://github.com/openstack/keystone/commit/1b573ae7d1c20e0ebfbde79bbe7538a09589c75d
- https://github.com/openstack/keystone/commit/8ab4eb27be4c13c9bab2b3ea700f00a190521bf8
- https://github.com/openstack/keystone/commit/ac2631ae33445877094cdae796fbcdce8833a626
- https://github.com/advisories/GHSA-4225-97pr-rr52 (Advisory)
Frequently Asked Questions
What is CVE-2021-38155?
CVE-2021-38155 is a vulnerability in OpenStack Keystone versions 10.x through 16.x before 16.0.2, 17.x before 17.0.1, 18.x before 18.0.1, and 19.x before 19.0.1.
What is the severity of CVE-2021-38155?
The severity of CVE-2021-38155 is high, with a severity value of 7.5.
How does CVE-2021-38155 allow information disclosure?
CVE-2021-38155 allows information disclosure during account locking by guessing the name of an account and failing to authenticate multiple times.
Which versions of OpenStack Keystone are affected by CVE-2021-38155?
OpenStack Keystone versions 10.x through 16.x before 16.0.2, 17.x before 17.0.1, 18.x before 18.0.1, and 19.x before 19.0.1 are affected by CVE-2021-38155.
Where can I find more information about CVE-2021-38155?
You can find more information about CVE-2021-38155 at the following references: [1] http://www.openwall.com/lists/oss-security/2021/08/10/5 [2] https://launchpad.net/bugs/1688137 [3] https://security.openstack.org/ossa/OSSA-2021-003.html
- collector/nvd-index
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/weakness
- agent/description
- agent/first-publish-date
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/author
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-4225-97pr-rr52
- alias/CVE-2021-38155
- agent/references
- agent/last-modified-date
- agent/severity
- agent/tags
- collector/nvd-cve
- agent/softwarecombine
- agent/event
- collector/github-advisory
- vendor/openstack
- canonical/openstack keystone
- version/openstack keystone/10.0.0
- version/openstack keystone/17.0.0
- version/openstack keystone/18.0.0
- version/openstack keystone/19.0.0
- package-manager/pip