Launchpad.net

CVE 2021-38155

OpenStack Keystone 10.x through 16.x before 16.0.2, 17.x before 17.0.1, 18.x before 18.0.1, and 19.x before 19.0.1 allows information disclosure during account locking (related to PCI DSS features). By guessing the name of an account and failing to authenticate multiple times, any unauthenticated actor could both confirm the account exists and obtain that account's corresponding UUID, which might be leveraged for other unrelated attacks. All deployments enabling security_compliance.lockout_failure_attempts are affected.

Related bugs and status

CVE-2021-38155 (Candidate) is related to these bugs:

Bug #1688137: [OSSA-2021-003] Account name and UUID oracles in account locking (CVE-2021-38155)

Summary				In	Importance	Status
	1688137	[OSSA-2021-003] Account name and UUID oracles in account locking (CVE-2021-38155)		OpenStack Identity (keystone)	Medium	Triaged
	1688137	[OSSA-2021-003] Account name and UUID oracles in account locking (CVE-2021-38155)		OpenStack Security Advisory	Medium	Fix Released

Bug #2021546: [Debian] High CVE: CVE-2021-38155: keystone: nformation disclosure during account locking

Summary				In	Importance	Status
	2021546	[Debian] High CVE: CVE-2021-38155: keystone: nformation disclosure during account locking		StarlingX	High	Fix Released

See the

CVE page on Mitre.org for more details.

Launchpad.net

CVE 2021-38155

Related bugs and status

Related bugs

References