Launchpad.net

Launchpad Home
Code
Bugs
Blueprints
Translations
Answers

CVE 2018-20170

** DISPUTED ** OpenStack Keystone through 14.0.1 has a user enumeration vulnerability because invalid usernames have much faster responses than valid ones for a POST /v3/auth/tokens request. NOTE: the vendor's position is that this is a hardening opportunity, and not necessarily an issue that should have an OpenStack Security Advisory.

Related bugs and status

CVE-2018-20170 (Candidate) is related to these bugs:

Bug #1795800: Timing oracle in core auth plugin simplifies brute-forcing usernames

Summary				In	Importance	Status
	1795800	Timing oracle in core auth plugin simplifies brute-forcing usernames		OpenStack Identity (keystone)	Wishlist	Triaged
	1795800	Timing oracle in core auth plugin simplifies brute-forcing usernames		OpenStack Security Advisory	Undecided	Won't Fix

See the

CVE page on Mitre.org for more details.

References

MISC: https://bugs.launchpad...