Описание
It was found that keycloak before 3.4.2 final would permit misuse of a client-side /etc/hosts entry to spoof a URL in a password reset request. An attacker could use this flaw to craft a malicious password reset request and gain a valid reset token, leading to information disclosure or further attacks.
Ссылки
- Issue TrackingThird Party Advisory
- PatchThird Party Advisory
- Issue TrackingThird Party Advisory
- PatchThird Party Advisory
Уязвимые конфигурации
EPSS
8.8 High
CVSS3
4.3 Medium
CVSS2
Дефекты
Связанные уязвимости
It was found that keycloak before 3.4.2 final would permit misuse of a client-side /etc/hosts entry to spoof a URL in a password reset request. An attacker could use this flaw to craft a malicious password reset request and gain a valid reset token, leading to information disclosure or further attacks.
It was found that keycloak before 3.4.2 final would permit misuse of a ...
Moderate severity vulnerability that affects org.keycloak:keycloak-core
EPSS
8.8 High
CVSS3
4.3 Medium
CVSS2