CVE-2021-38155

Name of the Vulnerable Software and Affected Versions: OpenStack Keystone versions 10.x through 16.x before 16.0.2 OpenStack Keystone versions 17.x before 17.0.1 OpenStack Keystone versions 18.x before 18.0.1 OpenStack Keystone versions 19.x before 19.0.1

Description: The issue allows information disclosure during account locking, related to PCI DSS features. By guessing the name of an account and failing to authenticate multiple times, any unauthenticated actor could confirm the account exists and obtain the account's corresponding UUID. This information might be leveraged for other unrelated attacks. All deployments enabling security compliance.lockout failure attempts are affected.

Recommendations: For OpenStack Keystone versions 10.x through 16.x before 16.0.2, update to version 16.0.2 or later. For OpenStack Keystone versions 17.x before 17.0.1, update to version 17.0.1 or later. For OpenStack Keystone versions 18.x before 18.0.1, update to version 18.0.1 or later. For OpenStack Keystone versions 19.x before 19.0.1, update to version 19.0.1 or later. As a temporary workaround, consider disabling the security compliance.lockout failure attempts feature until a patch is available.