Lockout reflects user UUID
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
New
|
Undecided
|
Unassigned | ||
OpenStack Security Advisory |
Incomplete
|
Undecided
|
Unassigned |
Bug Description
Intro
-----
While performing a penetration test on a new OpenStack install of version Train, we found an issue that could lead to an information disclosure.
Description
-----------
In this test situation we had a valid user for a project. After supplying an existing username with an incorrect password for a few times (at the /auth/tokens endpoint, as used by the CLI), the account is (temporarily) locked out. The JSON error response contains the user ID (not the username itself). This user ID could potentially be used in later attacks.
Precondition
------------
- Valid username for a project
Discovered on October 8, 2020 by Arjen Zijlstra (<email address hidden>) and Arthur Donkers (arthur@1secure.nl)
Since this report concerns a possible security risk, an incomplete
security advisory task has been added while the core security
reviewers for the affected project or projects confirm the bug and
discuss the scope of any vulnerability along with potential
solutions.