Vulnerability Details CVE-2018-20170
OpenStack Keystone through 14.0.1 has a user enumeration vulnerability because invalid usernames have much faster responses than valid ones for a POST /v3/auth/tokens request. NOTE: the vendor's position is that this is a hardening opportunity, and not necessarily an issue that should have an OpenStack Security Advisory
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 42.0%
CVSS Severity
CVSS v3 Score 5.3
CVSS v2 Score 5.0
References
Products affected by CVE-2018-20170
-
cpe:2.3:a:openstack:keystone:-
-
cpe:2.3:a:openstack:keystone:10.0.0
-
cpe:2.3:a:openstack:keystone:10.0.1
-
cpe:2.3:a:openstack:keystone:10.0.2
-
cpe:2.3:a:openstack:keystone:10.0.3
-
cpe:2.3:a:openstack:keystone:11.0.0
-
cpe:2.3:a:openstack:keystone:11.0.1
-
cpe:2.3:a:openstack:keystone:11.0.2
-
cpe:2.3:a:openstack:keystone:11.0.3
-
cpe:2.3:a:openstack:keystone:11.0.4
-
cpe:2.3:a:openstack:keystone:12.0.0
-
cpe:2.3:a:openstack:keystone:12.0.1
-
cpe:2.3:a:openstack:keystone:12.0.2
-
cpe:2.3:a:openstack:keystone:12.0.3
-
cpe:2.3:a:openstack:keystone:13.0.0
-
cpe:2.3:a:openstack:keystone:13.0.1
-
cpe:2.3:a:openstack:keystone:13.0.2
-
cpe:2.3:a:openstack:keystone:14.0.0
-
cpe:2.3:a:openstack:keystone:14.0.1
-
cpe:2.3:a:openstack:keystone:8.0.0
-
cpe:2.3:a:openstack:keystone:8.0.1
-
cpe:2.3:a:openstack:keystone:8.0.2
-
cpe:2.3:a:openstack:keystone:8.1.0
-
cpe:2.3:a:openstack:keystone:8.1.2
-
cpe:2.3:a:openstack:keystone:9.0.0
-
cpe:2.3:a:openstack:keystone:9.0.1
-
cpe:2.3:a:openstack:keystone:9.0.2
-
cpe:2.3:a:openstack:keystone:9.1.0
-
cpe:2.3:a:openstack:keystone:9.2.0
-
cpe:2.3:a:openstack:keystone:9.3.0