Vulnerability Description
It was found that keycloak before 3.4.2 final would permit misuse of a client-side /etc/hosts entry to spoof a URL in a password reset request. An attacker could use this flaw to craft a malicious password reset request and gain a valid reset token, leading to information disclosure or further attacks.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Keycloak | Keycloak | < 3.4.2 |
Related Weaknesses (CWE)
References
- https://bugzilla.redhat.com/show_bug.cgi?id=1484564Issue TrackingThird Party Advisory
- https://github.com/keycloak/keycloak-documentation/pull/268/commits/a2b58aadee42PatchThird Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=1484564Issue TrackingThird Party Advisory
- https://github.com/keycloak/keycloak-documentation/pull/268/commits/a2b58aadee42PatchThird Party Advisory
FAQ
What is CVE-2017-12161?
CVE-2017-12161 is a vulnerability with a CVSS score of 8.8 (HIGH). It was found that keycloak before 3.4.2 final would permit misuse of a client-side /etc/hosts entry to spoof a URL in a password reset request. An attacker could use this flaw to craft a malicious pas...
How severe is CVE-2017-12161?
CVE-2017-12161 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-12161?
Check the references section above for vendor advisories and patch information. Affected products include: Keycloak Keycloak.