Description
A vulnerability was found in all versions of Keycloak Gatekeeper, where on using lower case HTTP headers (via cURL) an attacker can bypass our Gatekeeper. Lower case headers are also accepted by some webservers (e.g. Jetty). This means there is no protection when we put a Gatekeeper in front of a Jetty server and use lowercase headers.
References (2)
Core 2
Core References
Issue Tracking, Vendor Advisory x_refsource_misc
https://bugzilla.redhat.com/show_bug.cgi?id=1868591
Issue Tracking, Permissions Required, Third Party Advisory x_refsource_misc
https://issues.jboss.org/browse/KEYCLOAK-14090
Scores
CVSS v3
7.3
EPSS
0.0096
EPSS Percentile
56.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Details
CWE
CWE-305
Status
published
Products (2)
keycloak/keycloak-gatekeeper
0Go
redhat/louketo_proxy
Published
Feb 23, 2021
Tracked Since
Feb 18, 2026