It was found that keycloak before 3.4.2 final would permit misuse of a client-side /etc/hosts entry to spoof a URL in a password reset request. An attacker could use this flaw to craft a malicious password reset request and gain a valid reset token, leading to information disclosure or further attacks.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2018-02-21T18:00:00Z

Updated: 2024-08-05T18:28:16.559Z

Reserved: 2017-08-01T00:00:00

Link: CVE-2017-12161

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2018-02-21T18:29:00.213

Modified: 2024-11-21T03:08:57.533

Link: CVE-2017-12161

cve-icon Redhat

Severity : Moderate

Publid Date: 2017-12-14T00:00:00Z

Links: CVE-2017-12161 - Bugzilla