it was found that keycloak would permit misuse of a client-side /etc/hosts entry to spoof a URL in a password reset request. An attacker could use this flaw to craft a malicious password reset request and gain a valid reset token, leading to information disclosure or further attacks.
Attack relies on compromising /etc/hosts file and tricking user into clicking reset password link with invalid URL. Wontfix for RHMAP-4
*** Bug 1533319 has been marked as a duplicate of this bug. ***