CVE-2020-14359 – github.com/keycloak/keycloak-gatekeeper

Package

Manager: go
Name: github.com/keycloak/keycloak-gatekeeper
Vulnerable Version: >=0 <=1.2.8

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00259 pctl0.49028

Details

Keycloak Gatekeeper vulnerable to bypass on using lower case HTTP headers A vulnerability was found in all versions of the deprecated package Keycloak Gatekeeper, where on using lower case HTTP headers (via cURL) we can bypass our Gatekeeper. Lower case headers are also accepted by some webservers (e.g. Jetty). This means there is no protection when we put a Gatekeeper in front of a Jetty server and use lowercase headers.

Metadata

Created: 2022-02-09T00:56:04Z
Modified: 2022-08-12T20:52:13Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-jh6m-3pqw-242h/GHSA-jh6m-3pqw-242h.json
CWE IDs: ["CWE-305"]
Alternative ID: GHSA-jh6m-3pqw-242h
Finding: F184
Auto approve: 1