CVE-2017-12161

HIGH

Keycloak <3.4.2 - Info Disclosure

Title source: llm

Description

It was found that keycloak before 3.4.2 final would permit misuse of a client-side /etc/hosts entry to spoof a URL in a password reset request. An attacker could use this flaw to craft a malicious password reset request and gain a valid reset token, leading to information disclosure or further attacks.

References (2)

[Issue Tracking, Third Party Advisory] https://bugzilla.redhat.com/show_bug.cgi?id=1484564

[Patch, Third Party Advisory] https://github.com/keycloak/keycloak-documentation/pull/268/commits/a2b58aadee42af2c375b72e86dffc2cf23cc3770

Scores

CVSS v3 8.8

EPSS 0.0028

EPSS Percentile 51.2%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE

CWE-640 CWE-602

Status published

Products (2)

keycloak/keycloak < 3.4.2

org.keycloak/keycloak-core 0 - 3.4.2Maven

Published Feb 21, 2018

Tracked Since Feb 18, 2026