High severityNVD Advisory· Published Feb 23, 2021· Updated Aug 4, 2024

CVE-2020-14359

Description

A vulnerability was found in all versions of Keycloak Gatekeeper, where on using lower case HTTP headers (via cURL) an attacker can bypass our Gatekeeper. Lower case headers are also accepted by some webservers (e.g. Jetty). This means there is no protection when we put a Gatekeeper in front of a Jetty server and use lowercase headers.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/keycloak/keycloak-gatekeeperGo	<= 1.2.8	—

Affected products

N/a/Keycloakv5
Range: all versions as of 2021-02-22

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-jh6m-3pqw-242hghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2020-14359ghsaADVISORY
bugzilla.redhat.com/show_bug.cgighsax_refsource_MISCWEB
github.com/keycloak/keycloak/issues/12934ghsaWEB
issues.jboss.org/browse/KEYCLOAK-14090ghsax_refsource_MISCWEB
web.archive.org/web/20190613000352/github.com/keycloak/keycloak-gatekeeperghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000