CVE-2020-14359

HIGH

Keycloak Gatekeeper - Auth Bypass

Title source: llm

Description

A vulnerability was found in all versions of Keycloak Gatekeeper, where on using lower case HTTP headers (via cURL) an attacker can bypass our Gatekeeper. Lower case headers are also accepted by some webservers (e.g. Jetty). This means there is no protection when we put a Gatekeeper in front of a Jetty server and use lowercase headers.

References (2)

[Issue Tracking, Vendor Advisory] https://bugzilla.redhat.com/show_bug.cgi?id=1868591

[Issue Tracking, Permissions Required, Third Party Advisory] https://issues.jboss.org/browse/KEYCLOAK-14090

Scores

CVSS v3 7.3

EPSS 0.0026

EPSS Percentile 49.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Details

CWE

CWE-305

Status published

Products (2)

keycloak/keycloak-gatekeeper 0Go

redhat/louketo_proxy

Published Feb 23, 2021

Tracked Since Feb 18, 2026