It was found that keycloak before 3.4.2 final would permit misuse of a client-side /etc/hosts entry to spoof a URL in a password reset request. An attacker could use this flaw to craft a malicious password reset request and gain a valid reset token, leading to information disclosure or further attacks.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: redhat
Published: 2018-02-21T18:00:00Z
Updated: 2024-08-05T18:28:16.559Z
Reserved: 2017-08-01T00:00:00
Link: CVE-2017-12161
Vulnrichment
No data.
NVD
Status : Modified
Published: 2018-02-21T18:29:00.213
Modified: 2024-11-21T03:08:57.533
Link: CVE-2017-12161
Redhat