Miggo Logo
Miggo Vulnerability Database
CVE-2021-3563

CVE-2021-3563: Openstack Keystone Incorrect Authorization vulnerability

9.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-3563
GHSA ID
GHSA-cc99-whm5-mmq3
EPSS Score
0.07145%
CWE
CWE-863
Published
8/27/2022
Updated
1/22/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
keystonepip<= 21.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from bcrypt's inherent 72-byte password truncation not being properly handled in Keystone's password verification. The verify_length_and_trunc_password function was responsible for enforcing length limits but didn't account for algorithm-specific constraints before the patch. The commit 7859ed2 explicitly addresses this by adding algorithm-aware truncation, confirming this function's role in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *l*w w*s *oun* in op*nst**k-k*yston*, only t** *irst ** ***r**t*rs o* *n *ppli**tion s**r*t *r* v*ri*i** *llowin* *tt**k*rs *yp*ss som* p*sswor* *ompl*xity w*i** **ministr*tors m*y ** *ountin* on. T** *i***st t*r**t *rom t*is vuln*r**ility is to **

Reasoning

T** vuln*r**ility st*mm** *rom **rypt's in**r*nt **-*yt* p*sswor* trun**tion not **in* prop*rly **n*l** in K*yston*'s p*sswor* v*ri*i**tion. T** v*ri*y_l*n*t*_*n*_trun*_p*sswor* *un*tion w*s r*sponsi*l* *or *n*or*in* l*n*t* limits *ut *i*n't ***ount