PT-2018-4553 · Openstack · Keystone

Published

2018-05-29

Updated

2018-07-20

CVE-2015-9240

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions keystone versions prior to 0.3.16

Description The issue is related to a bug in the default sign in functionality, where incomplete email addresses could be matched, potentially allowing for partial authentication bypass. A correct password is still required to complete the sign in process. If an attacker provides a full and correct password along with only part of the associated email address, authentication may be granted.

Recommendations Update to version 0.3.16 or later.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-255CWE-1255

Related Identifiers

CVE-2015-9240

GHSA-39PJ-GQ8Q-9PFJ

Affected Products

Keystone

PT-2018-4553 · Openstack · Keystone

CVE-2015-9240

Weakness Enumeration

Related Identifiers

Affected Products

References · 6