https://issues.jboss.org/browse/KEYCLOAK-5299
Attack relies on compromising /etc/hosts file and tricking user into clicking reset password link with invalid URL. Wontfix for RHMAP-4
*** Bug 1533319 has been marked as a duplicate of this bug. ***