CVE-2018-20170

unknown

Published 2018-12-17 · Modified 2023-11-08

CVSS v3

—

CVSS v2

—

VIR risk

—

Description

** DISPUTED ** OpenStack Keystone through 14.0.1 has a user enumeration vulnerability because invalid usernames have much faster responses than valid ones for a POST /v3/auth/tokens request. NOTE: the vendor's position is that this is a hardening opportunity, and not necessarily an issue that should have an OpenStack Security Advisory.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2018-20170.html

OS impact

OS	Version	Status	Fixed in
sles		affected

Package impact

Ecosystem	Package	Vulnerable	Fixed
PyPI	keystone	`<14.1.0`	`14.1.0`

References

https://www.suse.com/security/cve/CVE-2018-20170.html
https://bugs.launchpad.net/keystone/+bug/1795800

Verify integrity in audit chain (admin only). AS-IS.