Keycloak SSO versions prior to 2.x are vulnerable to Host Header Injection on the forgot password page causing the application to send a poisoned URL as the password reset link. References: https://nvd.nist.gov/vuln/detail/CVE-2017-1000500 https://github.com/keycloak/keycloak-documentation/pull/268/commits/a2b58aadee42af2c375b72e86dffc2cf23cc3770
Attack relies on compromising /etc/hosts file and tricking user into clicking reset password link with invalid URL. Wontfix for RHMAP-4
*** This bug has been marked as a duplicate of bug 1484564 ***
Statement: This flaw was found to be a duplicate of CVE-2017-12161. Please see https://access.redhat.com/security/cve/CVE-2017-12161 for information about affected products and security errata.