keystone prior to 0.3.16 are affected by a partial authentication bypass vulnerability. In the default sign in functionality, if an attacker provides a full and correct password, yet only provides part of the associated email address, authentication will be granted.
Update to version 0.3.16 or later.
publishedAdvisory publishedDec 4th, 2015
reportedInitial report by Greg MeyerDec 4th, 2015