Severity: low

Authentication Weakness



Versions of keystone prior to 0.3.16 are affected by a partial authentication bypass vulnerability. In the default sign in functionality, if an attacker provides a full and correct password, yet only provides part of the associated email address, authentication will be granted.


Update to version 0.3.16 or later.

Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory published
    Dec 4th, 2015
  2. reported

    Initial report by Greg Meyer
    Dec 4th, 2015