GHSA-959q-32g8-vvp7

Source

https://github.com/advisories/GHSA-959q-32g8-vvp7

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-959q-32g8-vvp7/GHSA-959q-32g8-vvp7.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-959q-32g8-vvp7

Aliases

CVE-2017-12161

Published

2018-10-18T16:50:05Z

Modified

2024-12-02T05:38:19.096262Z

Summary

Moderate severity vulnerability that affects org.keycloak:keycloak-core

Details

It was found that keycloak before 3.4.2 final would permit misuse of a client-side /etc/hosts entry to spoof a URL in a password reset request. An attacker could use this flaw to craft a malicious password reset request and gain a valid reset token, leading to information disclosure or further attacks.

Database specific

{
    "nvd_published_at": null,
    "github_reviewed_at": "2020-06-16T21:27:40Z",
    "cwe_ids": [
        "CWE-602"
    ],
    "severity": "MODERATE",
    "github_reviewed": true
}

References

Affected packages

Maven / org.keycloak:keycloak-core

Package

Name: org.keycloak:keycloak-core; View open source insights on deps.dev
Purl: pkg:maven/org.keycloak/keycloak-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.4.2

Affected versions

1.*

1.0-alpha-1

1.0-alpha-1-12062013

1.0-alpha-2

1.0-alpha-3

1.0-alpha-4

1.0-beta-1

1.0-beta-1-20150521

1.0-beta-1-20150523

1.0-beta-2

1.0-beta-3

1.0-beta-4

1.0-rc-1

1.0-rc-2

1.0-final

1.0.1.Final

1.0.2.Final

1.0.3.Final

1.0.4.Final

1.0.5.Final

1.1.0.Beta1

1.1.0.Beta2

1.1.0.Final

1.1.1.Final

1.2.0.Beta1

1.2.0.CR1

1.2.0.Final

1.3.0.Final

1.3.1.Final

1.4.0.Final

1.5.0-Final

1.5.0.Final

1.5.1.Final

1.6.0.Final

1.6.1.Final

1.7.0.CR1

1.7.0.Final

1.8.0.Alpha1

1.8.0.CR1

1.8.0.CR2

1.8.0.CR3

1.8.0.Final

1.8.1.Final

1.9.0.CR1

1.9.0.Final

1.9.1.Final

1.9.2.Final

1.9.3.Final

1.9.4.Final

1.9.5.Final

1.9.7.Final

1.9.8.Final

2.*

2.0.0.CR1

2.0.0.Final

2.1.0.CR1

2.1.0.Final

2.2.0.CR1

2.2.0.Final

2.2.1.Final

2.3.0.CR1

2.3.0.Final

2.4.0.CR1

2.4.0.Final

2.5.0.CR1

2.5.0.Final

2.5.1.Final

2.5.4.Final

2.5.5.Final

3.*

3.0.0.CR1

3.0.0.Final

3.1.0.CR1

3.1.0.Final

3.2.0.CR1

3.2.0.Final

3.2.1.Final

3.3.0.CR1

3.3.0.CR2

3.3.0.Final

3.4.0.CR1

3.4.0.Final

3.4.1.CR1

3.4.1.Final