CVE-2020-14359

Name of the Vulnerable Software and Affected Versions Keycloak Gatekeeper versions all

Description A vulnerability was found in Keycloak Gatekeeper where an attacker can bypass the Gatekeeper by using lower case HTTP headers, for example, via cURL. This issue is particularly problematic when the Gatekeeper is used in front of certain webservers, such as Jetty, which also accept lower case headers, thereby providing no protection.

Recommendations As a temporary workaround, consider restricting the use of lower case HTTP headers until a patch is available. Avoid using lower case headers in API endpoints, such as /api/v1/login, until the issue is resolved. Restrict access to the Gatekeeper when used in front of a Jetty server to minimize the risk of exploitation.