{"id":"CVE-2018-20170","details":"OpenStack Keystone through 14.0.1 has a user enumeration vulnerability because invalid usernames have much faster responses than valid ones for a POST /v3/auth/tokens request. NOTE: the vendor's position is that this is a hardening opportunity, and not necessarily an issue that should have an OpenStack Security Advisory","aliases":["PYSEC-2018-9"],"modified":"2026-04-10T03:55:23.832527Z","published":"2018-12-17T07:29:00.747Z","references":[{"type":"REPORT","url":"https://bugs.launchpad.net/keystone/+bug/1795800"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/openstack/keystone","events":[{"introduced":"0"},{"last_affected":"ec1c2e4f7bc20e6a70140c0be614d6c001973d1e"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"14.0.1"}]}}],"versions":["10.0.0.0b1","10.0.0.0b2","10.0.0.0b3","10.0.0.0rc1","11.0.0","11.0.0.0b1","11.0.0.0b2","11.0.0.0b3","11.0.0.0rc1","12.0.0.0b1","12.0.0.0b2","12.0.0.0b3","12.0.0.0rc1","13.0.0.0b1","13.0.0.0b2","13.0.0.0b3","13.0.0.0rc1","14.0.0","14.0.0.0b1","14.0.0.0b2","14.0.0.0rc1","14.0.0.0rc2","14.0.1","2011.3","2013.2.b1","2013.2.b3","2013.2.rc1","2014.1.b1","2014.1.b2","2014.1.b3","2014.1.rc1","2014.2.b1","2014.2.b2","2014.2.b3","2014.2.rc1","2015.1.0b1","2015.1.0b2","2015.1.0b3","2015.1.0rc1","8.0.0.0b1","8.0.0.0b2","8.0.0.0b3","8.0.0.0rc1","8.0.0a0","9.0.0.0b1","9.0.0.0b2","9.0.0.0b3","9.0.0.0rc1","essex-4","essex-rc1","folsom-1","folsom-2","folsom-rc1","grizzly-1","grizzly-2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-20170.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}]}