CVE-2021-38155: 
Python vulnerability analysis and mitigation

OpenStack Keystone versions 10.x through 16.x before 16.0.2, 17.x before 17.0.1, 18.x before 18.0.1, and 19.x before 19.0.1 contained a vulnerability (CVE-2021-38155) related to information disclosure during account locking. The vulnerability was discovered by Samuel de Medeiros Queiroz from Oi Cloud and was publicly disclosed on August 10, 2021. The issue specifically affects deployments that have enabled the security_compliance.lockout_failure_attempts feature (OpenStack Advisory).

The vulnerability exists in the PCI DSS account locking feature implementation. When an authentication attempt fails multiple times for a user account, the system would return an error message containing sensitive information, including the account's UUID. This implementation flaw allows unauthenticated actors to confirm the existence of accounts and obtain their corresponding UUIDs. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (NVD).

The vulnerability enables two primary attack vectors: First, attackers can confirm the existence of user accounts by attempting authentication until the lockout threshold is reached, as the API response changes to indicate the account is locked. Second, attackers can obtain user account UUIDs through the lockout error messages, which could potentially be leveraged for other unrelated attacks (OpenStack Advisory, Launchpad Bug).

The vulnerability has been patched in multiple versions: 16.0.2, 17.0.1, 18.0.1, and 19.0.1. The fix modifies the system to hide the AccountLocked exception from end users and instead return a generic Unauthorized error, preventing information disclosure while maintaining the account locking functionality. For deployments that cannot immediately update, the alternative is to disable the security_compliance.lockout_failure_attempts feature (Launchpad Bug).