CVE-2018-20170

Name of the Vulnerable Software and Affected Versions OpenStack Keystone versions through 14.0.1

Description The issue allows for user enumeration due to the difference in response times for valid and invalid usernames when making a POST request to the "/v3/auth/tokens" endpoint. The vendor views this as a hardening opportunity rather than a security issue.

Recommendations For OpenStack Keystone versions through 14.0.1, consider implementing measures to equalize response times for valid and invalid usernames to mitigate the user enumeration risk. As a temporary workaround, restrict access to the "/v3/auth/tokens" endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.