Medium severity5.4NVD Advisory· Published Oct 26, 2017· Updated Jun 17, 2026
CVE-2017-12158
CVE-2017-12158
Description
It was found that Keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw against an authenticated user to attain reflected XSS via a malicious server.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.keycloak:keycloak-parentMaven | < 3.4.0 | 3.4.0 |
Affected products
20cpe:2.3:a:redhat:single_sign_on:7.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:redhat:single_sign_on:7.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:single_sign_on:7.1:*:*:*:*:*:*:*
- osv-coords16 versionspkg:apk/chainguard/keycloakpkg:apk/chainguard/keycloak-26.2pkg:apk/chainguard/keycloak-26.3pkg:apk/chainguard/keycloak-26.4pkg:apk/chainguard/keycloak-26.5pkg:apk/chainguard/keycloak-26.6pkg:apk/chainguard/keycloak-bitnami-compatpkg:apk/chainguard/keycloak-compatpkg:apk/wolfi/keycloakpkg:apk/wolfi/keycloak-26.3pkg:apk/wolfi/keycloak-26.4pkg:apk/wolfi/keycloak-26.5pkg:apk/wolfi/keycloak-26.6pkg:apk/wolfi/keycloak-bitnami-compatpkg:apk/wolfi/keycloak-compatpkg:maven/org.keycloak/keycloak-parent
< 0+ 15 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 3.4.0
- Red Hat, Inc./keycloakv5Range: 3.4.0
Patches
Vulnerability mechanics
References
8- www.securityfocus.com/bid/101618nvdThird Party AdvisoryVDB Entry
- access.redhat.com/errata/RHSA-2017:2904nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2017:2905nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2017:2906nvdThird Party AdvisoryWEB
- github.com/advisories/GHSA-v38p-mqq3-m6v5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-12158ghsaADVISORY
- bugzilla.redhat.com/show_bug.cginvdIssue TrackingWEB
- web.archive.org/web/20210124114020/http://www.securityfocus.com/bid/101618ghsaWEB
News mentions
0No linked articles in our index yet.