keycloak is vulnerable to information disclosure. A misuse of client-side /etc/hosts
entry to spoof a URL in a password reset request allows an attacker to craft a malicious password request and obtain a valid reset token, resulting in unauthorized password change and access to the application.
CPE | Name | Operator | Version |
---|---|---|---|
keycloak core | le | 3.4.1.Final |