User Enumeration in OpenStack Keystone by OpenStack
CVE-2018-20170

5.3MEDIUM

Key Information:

Vendor
Openstack
Status
Vendor
CVE Published:
17 December 2018

Summary

OpenStack Keystone versions up to 14.0.1 are susceptible to a user enumeration vulnerability. When executing a POST /v3/auth/tokens request, the system responds considerably faster for invalid usernames compared to valid ones. This discrepancy allows attackers to potentially identify valid usernames by analyzing the response times. While OpenStack considers this a hardening opportunity rather than a critical issue, addressing the timing differences is crucial in safeguarding user data against unauthorized access.

References

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.