Date: Tue, 10 Aug 2021 14:54:41 +0000 From: Jeremy Stanley <fungi@...goth.org> To: oss-security@...ts.openwall.com Subject: [OSSA-2021-003] Keystone: Account name and UUID oracles in account locking (CVE-2021-38155) =============================================================== OSSA-2021-003: Account name and UUID oracles in account locking =============================================================== :Date: August 10, 2021 :CVE: CVE-2021-38155 Affects ~~~~~~~ - Keystone: >=10.0.0 <16.0.2, >=17.0.0 <17.0.1, >=18.0.0 <18.0.1, >=19.0.0 <19.0.1 Description ~~~~~~~~~~~ Samuel de Medeiros Queiroz with Oi Cloud reported a vulnerability affecting Keystone account locking. By guessing the name of an account and failing to authenticate multiple times, any unauthenticated actor could both confirm the account exists and obtain that account's corresponding UUID, which might be leveraged for other unrelated attacks. All Keystone deployments enabling security_compliance.lockout_failure_attempts are affected. Patches ~~~~~~~ - https://review.opendev.org/790444 (Train) - https://review.opendev.org/790443 (Ussuri) - https://review.opendev.org/790442 (Victoria) - https://review.opendev.org/790440 (Wallaby) - https://review.opendev.org/759940 (Xena) Credits ~~~~~~~ - Samuel de Medeiros Queiroz from Oi Cloud (CVE-2021-38155) References ~~~~~~~~~~ - https://launchpad.net/bugs/1688137 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38155 -- Jeremy Stanley Download attachment "signature.asc" of type "application/pgp-signature" (964 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.