CVE-2017-12161
First published: Wed Aug 23 2017(Updated: )
<a href="https://issues.jboss.org/browse/KEYCLOAK-5299">https://issues.jboss.org/browse/KEYCLOAK-5299</a>
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Keycloak Authenticator | <3.4.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2017-12161?
CVE-2017-12161 is considered to have a medium severity due to the potential for URL spoofing in password reset requests.
What versions of Keycloak are affected by CVE-2017-12161?
CVE-2017-12161 affects Keycloak versions prior to 3.4.2 final.
How do I fix CVE-2017-12161?
To fix CVE-2017-12161, update Keycloak to version 3.4.2 final or later.
What kind of attack does CVE-2017-12161 enable?
CVE-2017-12161 enables an attacker to spoof URLs in password reset requests using a misconfigured client-side /etc/hosts entry.
Is there any workaround if I can't update Keycloak for CVE-2017-12161?
There are no official workarounds for CVE-2017-12161, so updating Keycloak is the recommended solution.
- collector/redhat-bugzilla
- alias/CVE-2017-12161
- agent/first-publish-date
- agent/type
- agent/weakness
- agent/references
- agent/last-modified-date
- agent/severity
- agent/remedy
- agent/description
- agent/author
- agent/event
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/keycloak
- canonical/keycloak authenticator