CVE-2021-3563 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	Medium
Remote	Yes
Type	Private key recovery
Description	Keystone only verifies part of the secret - the first 72 characters. Additional complexity is ignored, giving users an inflated sense of security. Default length of a secret seems to be 86 characters. While brute forcing at this scale is out of reach for many attackers, the state of the art is constantly evolving.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-1979	keystone	0.9.2-1		Medium	Not affected

References
https://bugzilla.redhat.com/show_bug.cgi?id=1962908 https://docs.openstack.org/keystone/latest/

Notes
The CVE affects OpenStack Keystone (https://docs.openstack.org/keystone/latest/), not the similarly named Keystone Engine (https://www.keystone-engine.org/).