Andy Ngo

**Name of the Vulnerable Software and Affected Versions** OpenStack Keystone versions through 14.0.1 **Description** The issue allows for user enumeration due to the difference in response times for valid and invalid usernames when making a POST request to the "/v3/auth/tokens" endpoint. The vendor views this as a hardening opportunity rather than a security issue. **Recommendations** For OpenStack Keystone versions through 14.0.1, consider implementing measures to equalize response times for valid and invalid usernames to mitigate the user enumeration risk. As a temporary workaround, restrict access to the "/v3/auth/tokens" endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.