keycloak is vulnerable to service account takeover. The vulnerability exists as the service accounts reset password flow were using the placeholder.org domain.
access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.3/
access.redhat.com/errata/RHSA-2019:4040
access.redhat.com/security/updates/classification/#important
bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14837
github.com/keycloak/keycloak/commit/9a7c1a91a59ab85e7f8889a505be04a71580777f
issues.jboss.org/browse/KEYCLOAK-10780
issues.jboss.org/browse/KEYCLOAK-11815