| Severity |
|
| Remote |
|
| Type |
| - |
Unknown |
| + |
Private key recovery |
|
| Description |
| + |
Keystone only verifies part of the secret - the first 72 characters. Additional complexity is ignored, giving users an inflated sense of security. Default length of a secret seems to be 86 characters. While brute forcing at this scale is out of reach for many attackers, the state of the art is constantly evolving. |
|
| References |
| + |
https://bugzilla.redhat.com/show_bug.cgi?id=1962908 |
| + |
https://docs.openstack.org/keystone/latest/ |
|
| Notes |
| + |
The CVE affects OpenStack Keystone (https://docs.openstack.org/keystone/latest/), not the similarly named Keystone Engine (https://www.keystone-engine.org/). |
|