CVE-2021-3563: 
Python vulnerability analysis and mitigation

A security vulnerability (CVE-2021-3563) was discovered in OpenStack Keystone, where only the first 72 characters of an application secret are verified during authentication. This limitation allows attackers to bypass password complexity requirements that administrators may be relying on for security. The vulnerability was reported in 2020 and affects multiple versions of the OpenStack Keystone authentication service (Launchpad Bug, Debian Security).

The vulnerability stems from the bcrypt hashing algorithm used in Keystone, which silently limits the size of the password that is hashed to 72 bytes. This creates a false sense of security as any characters beyond the 72-byte limit are ignored during password verification. The default length of application credential secrets is 86 characters, meaning 14 characters of potential complexity are effectively ignored (Red Hat Bugzilla).

The primary impact of this vulnerability affects data confidentiality and integrity. Organizations relying on password complexity requirements beyond the 72-character limit may have a false sense of security, as additional complexity is ignored during verification (Debian LTS).

The vulnerability has been fixed in multiple versions of OpenStack Keystone. The fix includes proper handling of password length limitations and implementation of appropriate warnings when passwords are truncated. Fixed versions include Keystone 23.0.0.0rc1 and various backported patches to stable branches (Launchpad Bug).