CVE-2020-14359 — Keycloak Gatekeeper vulnerable to bypass on using lower case HTTP headers

Description

A vulnerability was found in all versions of the deprecated package Keycloak Gatekeeper, where on using lower case HTTP headers (via cURL) we can bypass our Gatekeeper. Lower case headers are also accepted by some webservers (e.g. Jetty). This means there is no protection when we put a Gatekeeper in front of a Jetty server and use lowercase headers.

How to fix CVE-2020-14359

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2020-14359 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, <= 1.2.8

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-14359
PATCHgithub.com/keycloak/keycloak-gatekeeper
WEBbugzilla.redhat.com/show_bug.cgi?id=1868591
WEBgithub.com/keycloak/keycloak/issues/12934
WEB