CVE-2021-3563
Description
A flaw was found in openstack-keystone. Only the first 72 characters of an application secret are verified allowing attackers bypass some password complexity which administrators may be counting on. The highest threat from this vulnerability is to data confidentiality and integrity.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In OpenStack Keystone, only the first 72 characters of application credential secrets are verified, allowing attackers to bypass intended password complexity requirements.
Root
Cause OpenStack Keystone's application credential API only verifies the first 72 characters of a secret, ignoring any characters beyond that [3]. Administrators may rely on password complexity rules (e.g., via password_regex) to enforce strong secrets, but this enforcement does not apply to application credentials, and even if a longer secret is set, only a prefix is checked [3].
Exploitation
An attacker who obtains or guesses an application credential's ID—potentially via other vulnerabilities such as bug 1901207 [3]—can attempt to authenticate using a weak or truncated secret. The lack of lockout mechanisms for the application credential API further increases the attack surface, allowing brute-force attempts without rate limiting [3].
Impact
Successful exploitation could allow an attacker to authenticate as the application credential owner, leading to unauthorized access to data and resources. The confidentiality and integrity of the OpenStack environment are at risk [1][2].
Mitigation
Patches are available in Keystone version 22.0.1 and later [4]. Debian and Red Hat have issued updates [1][4]. Administrators should upgrade to a fixed version and consider applying additional controls such as stricter monitoring of application credential usage.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
keystonePyPI | <= 21.0.0 | — |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
12- github.com/advisories/GHSA-cc99-whm5-mmq3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-3563ghsaADVISORY
- access.redhat.com/security/cve/CVE-2021-3563ghsax_refsource_MISCWEB
- bugs.launchpad.net/ossa/+bug/1901891ghsax_refsource_MISCWEB
- bugzilla.redhat.com/show_bug.cgighsax_refsource_MISCWEB
- lists.debian.org/debian-lts-announce/2024/01/msg00007.htmlghsaWEB
- opendev.org/openstack/keystoneghsaPACKAGE
- opendev.org/openstack/keystone/commit/7859ed26003858ebfd9a5e866b43f1a6a9e83dcaghsaWEB
- review.opendev.org/c/openstack/keystone/+/803641ghsaWEB
- review.opendev.org/c/openstack/keystone/+/828595ghsaWEB
- review.opendev.org/c/openstack/keystone/+/856489ghsaWEB
- security-tracker.debian.org/tracker/CVE-2021-3563ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.