User Enumeration in OpenStack Keystone by OpenStack
CVE-2018-20170
5.3MEDIUM
Summary
OpenStack Keystone versions up to 14.0.1 are susceptible to a user enumeration vulnerability. When executing a POST /v3/auth/tokens request, the system responds considerably faster for invalid usernames compared to valid ones. This discrepancy allows attackers to potentially identify valid usernames by analyzing the response times. While OpenStack considers this a hardening opportunity rather than a critical issue, addressing the timing differences is crucial in safeguarding user data against unauthorized access.
References
CVSS V3.1
Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved