Skip to content

Moderate severity vulnerability that affects org.keycloak:keycloak-core

Moderate severity GitHub Reviewed Published Oct 18, 2018 to the GitHub Advisory Database • Updated Jan 9, 2023

Package

maven org.keycloak:keycloak-core (Maven)

Affected versions

< 3.4.2

Patched versions

3.4.2

Description

It was found that keycloak before 3.4.2 final would permit misuse of a client-side /etc/hosts entry to spoof a URL in a password reset request. An attacker could use this flaw to craft a malicious password reset request and gain a valid reset token, leading to information disclosure or further attacks.

References

Published to the GitHub Advisory Database Oct 18, 2018
Reviewed Jun 16, 2020
Last updated Jan 9, 2023

Severity

Moderate

EPSS score

0.293%
(70th percentile)

Weaknesses

CVE ID

CVE-2017-12161

GHSA ID

GHSA-959q-32g8-vvp7

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.