—

PYSEC-2018-9

Details

** DISPUTED ** OpenStack Keystone through 14.0.1 has a user enumeration vulnerability because invalid usernames have much faster responses than valid ones for a POST /v3/auth/tokens request. NOTE: the vendor's position is that this is a hardening opportunity, and not necessarily an issue that should have an OpenStack Security Advisory.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / keystone

Introduced in: 0 Fixed in: 14.1.0

Fix pip install --upgrade 'keystone>=14.1.0'

References

https://bugs.launchpad.net/keystone/+bug/1795800 [WEB]