CVE-2021-3563 log

Severity Medium
Remote Yes
Type Private key recovery
Keystone only verifies part of the secret - the first 72 characters. Additional complexity is ignored, giving users an inflated sense of security. Default length of a secret seems to be 86 characters. While brute forcing at this scale is out of reach for many attackers, the state of the art is constantly evolving.
Group Package Affected Fixed Severity Status Ticket
AVG-1979 keystone 0.9.2-1 Medium Not affected
The CVE affects OpenStack Keystone (, not the similarly named Keystone Engine (