Lockout reflects user UUID
Bug #1901225 reported by
Arjen
This bug report is a duplicate of:
Bug #1688137: [OSSA-2021-003] Account name and UUID oracles in account locking (CVE-2021-38155).
Edit
Remove
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Identity (keystone) |
New
|
Undecided
|
Unassigned | ||
| OpenStack Security Advisory |
Incomplete
|
Undecided
|
Unassigned | ||
Bug Description
Intro
-----
While performing a penetration test on a new OpenStack install of version Train, we found an issue that could lead to an information disclosure.
Description
-----------
In this test situation we had a valid user for a project. After supplying an existing username with an incorrect password for a few times (at the /auth/tokens endpoint, as used by the CLI), the account is (temporarily) locked out. The JSON error response contains the user ID (not the username itself). This user ID could potentially be used in later attacks.
Precondition
------------
- Valid username for a project
Discovered on October 8, 2020 by Arjen Zijlstra (<email address hidden>) and Arthur Donkers (arthur@1secure.nl)
Revision history for this message
| Jeremy Stanley (fungi) wrote | #1 |
| description: | updated |
| Changed in ossa: | |
| status: | New → Incomplete |
Revision history for this message
| Arjen (i2rcnasjfnk3) wrote | #2 |
Revision history for this message
| Jeremy Stanley (fungi) wrote | #3 |
| description: | updated |
| information type: | Private Security → Public Security |
To post a comment you must log in.
Since this report concerns a possible security risk, an incomplete
security advisory task has been added while the core security
reviewers for the affected project or projects confirm the bug and
discuss the scope of any vulnerability along with potential
solutions.