CVE-2018-20170

MEDIUM

OpenStack Keystone <14.0.1 - Info Disclosure

Title source: llm

Description

OpenStack Keystone through 14.0.1 has a user enumeration vulnerability because invalid usernames have much faster responses than valid ones for a POST /v3/auth/tokens request. NOTE: the vendor's position is that this is a hardening opportunity, and not necessarily an issue that should have an OpenStack Security Advisory

References (1)

[Exploit, Issue Tracking, Third Party Advisory] https://bugs.launchpad.net/keystone/+bug/1795800

Scores

CVSS v3 5.3

EPSS 0.0019

EPSS Percentile 41.2%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Classification

CWE

CWE-200

Status published

Affected Products (1)

openstack/keystone < 14.0.1

Timeline

Published Dec 17, 2018

Tracked Since Feb 18, 2026