URL Spoofing Affecting org.keycloak:keycloak-core package, versions [,3.4.2.Final)


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.29% (70th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JAVA-ORGKEYCLOAK-32109
  • published22 Feb 2018
  • disclosed23 Aug 2017
  • creditUnknown

Introduced: 23 Aug 2017

CVE-2017-12161  (opens in a new tab)
CWE-290  (opens in a new tab)

How to fix?

Upgrade org.keycloak:keycloak-core to version 3.4.2 or higher.

Overview

org.keycloak:keycloak-core is an open Source Identity and Access Management for modern Applications and Services.

Affected versions of this package are vulnerable to URL Spoofing. An attacker could use this flaw to craft a malicious password reset request and gain a valid reset token, leading to information disclosure or further attacks.

Note: CVE-2017-1000500 is a duplicate of CVE-2017-12161.

CVSS Scores

version 3.1