PYSEC-2018-9

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/keystone/PYSEC-2018-9.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2018-9

Aliases

CVE-2018-20170

Published

2018-12-17T07:29:00Z

Modified

2023-11-08T04:00:11.214462Z

Summary

[none]

Details

** DISPUTED ** OpenStack Keystone through 14.0.1 has a user enumeration vulnerability because invalid usernames have much faster responses than valid ones for a POST /v3/auth/tokens request. NOTE: the vendor's position is that this is a hardening opportunity, and not necessarily an issue that should have an OpenStack Security Advisory.

References

https://bugs.launchpad.net/keystone/+bug/1795800

Affected packages

PyPI / keystone

Package

Name: keystone; View open source insights on deps.dev
Purl: pkg:pypi/keystone

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

14.1.0

Affected versions

12.*

12.0.2

12.0.3

13.*

13.0.2

13.0.3

13.0.4

14.*

14.0.0

14.0.1

Database specific

source

"https://github.com/pypa/advisory-database/blob/main/vulns/keystone/PYSEC-2018-9.yaml"