A flaw was found in keycloack before version 8.0.0. The owner of 'placeholder.org' domain can setup mail server on this domain and knowing only name of a client can reset password and then log in. For example, for client name 'test' the email address will be 'service-account-test@placeholder.org'.
{
"unresolved_ranges": [
{
"extracted_events": [
{
"introduced": "7.3"
},
{
"last_affected": "7.3"
}
],
"source": "CPE_STRING",
"vendor_product": "redhat:single_sign-on",
"cpes": [
"cpe:2.3:a:redhat:single_sign-on:7.3:*:*:*:*:*:*:*"
]
}
]
}{
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "8.0.0"
}
],
"cpe": "cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:*",
"source": [
"CPE_RANGE",
"REFERENCES"
]
}