CVE-2021-3563

A flaw was found in openstack-keystone. Only the first 72 characters of an application secret are verified allowing attackers bypass some password complexity which administrators may be counting on. The highest threat from this vulnerability is to data confidentiality and integrity.

CVSS v3.0 7.4 HIGH

7.4^/10

CVSS v3.0 : HIGH

Vector :

Exploitability : 2.2 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://access.redhat.com/security/cve/CVE-2021-3563	Issue Tracking Third Party Advisory
https://security-tracker.debian.org/tracker/CVE-2021-3563	Exploit Issue Tracking Third Party Advisory
https://bugs.launchpad.net/ossa/+bug/1901891	Exploit Issue Tracking Third Party Advisory VDB Entry
https://bugzilla.redhat.com/show_bug.cgi?id=1962908	Exploit Issue Tracking Third Party Advisory Vendor Advisory

Advertisement

Configurations

Configuration 1 (hide)

cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR	cpe:2.3:o:debian:debian_linux:10.0:::::::*
	cpe:2.3:o:debian:debian_linux:11.0:::::::*

Configuration 3 (hide)

OR	cpe:2.3:a:redhat:openstack_platform:16.1:::::::*
	cpe:2.3:a:redhat:openstack_platform:13.0:::::::*
	cpe:2.3:a:redhat:openstack_platform:10.0:::::::*
	cpe:2.3:a:redhat:openstack_platform:16.2:::::::*

Information

Published : 2022-08-26 09:15

Updated : 2022-11-28 09:24

NVD link : CVE-2021-3563

Mitre link : CVE-2021-3563

JSON object : View

CWE

CWE-863

Incorrect Authorization

Advertisement

Products Affected

debian

debian_linux

openstack

keystone

redhat

openstack_platform

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://access.redhat.com/security/cve/CVE-2021-3563", "name": "https://access.redhat.com/security/cve/CVE-2021-3563", "tags": ["Issue Tracking", "Third Party Advisory"], "refsource": "MISC"}, {"url": "https://security-tracker.debian.org/tracker/CVE-2021-3563", "name": "https://security-tracker.debian.org/tracker/CVE-2021-3563", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "refsource": "MISC"}, {"url": "https://bugs.launchpad.net/ossa/+bug/1901891", "name": "https://bugs.launchpad.net/ossa/+bug/1901891", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory", "VDB Entry"], "refsource": "MISC"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1962908", "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1962908", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory", "Vendor Advisory"], "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "A flaw was found in openstack-keystone. Only the first 72 characters of an application secret are verified allowing attackers bypass some password complexity which administrators may be counting on. The highest threat from this vulnerability is to data confidentiality and integrity."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-863"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2021-3563", "ASSIGNER": "secalert@redhat.com"}}, "impact": {"baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.2}}, "publishedDate": "2022-08-26T16:15Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:redhat:openstack_platform:16.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:redhat:openstack_platform:13.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:redhat:openstack_platform:10.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:redhat:openstack_platform:16.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2022-11-28T17:24Z"}