Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWpoNm0tM3Bxdy0yNDJo
Keycloak Gatekeeper vulnerable to bypass on using lower case HTTP headers
A vulnerability was found in all versions of the deprecated package Keycloak Gatekeeper, where on using lower case HTTP headers (via cURL) we can bypass our Gatekeeper. Lower case headers are also accepted by some webservers (e.g. Jetty). This means there is no protection when we put a Gatekeeper in front of a Jetty server and use lowercase headers.
Permalink: https://github.com/advisories/GHSA-jh6m-3pqw-242hJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWpoNm0tM3Bxdy0yNDJo
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: over 1 year ago
CVSS Score: 7.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Identifiers: GHSA-jh6m-3pqw-242h, CVE-2020-14359
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-14359
- https://bugzilla.redhat.com/show_bug.cgi?id=1868591
- https://issues.jboss.org/browse/KEYCLOAK-14090
- https://github.com/keycloak/keycloak/issues/12934
- https://web.archive.org/web/20190613000352/github.com/keycloak/keycloak-gatekeeper
- https://github.com/advisories/GHSA-jh6m-3pqw-242h
Blast Radius: 1.0
Affected Packages
go:github.com/keycloak/keycloak-gatekeeper
Dependent packages: 0Dependent repositories: 0
Downloads:
Affected Version Ranges: <= 1.2.8
No known fixed version
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.5, 0.0.6, 0.0.7, 0.0.8, 0.0.9, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.1.0, 1.1.1, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.2.7, 1.2.8