ID CVE-2020-14359
Summary A vulnerability was found in all versions of keycloak, where on using lower case HTTP headers (via cURL) we can bypass our Gatekeeper. Lower case headers are also accepted by some webservers (e.g. Jetty). This means there is no protection when we put a Gatekeeper in front of a Jetty server and use lowercase headers.
References
Vulnerable Configurations
  • cpe:2.3:a:redhat:louketo_proxy:*:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:louketo_proxy:*:*:*:*:*:*:*:*
CVSS
Base: 7.5 (as of 22-06-2021 - 15:45)
Impact:
Exploitability:
CWE CWE-305
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:P/A:P
Last major update 22-06-2021 - 15:45
Published 23-02-2021 - 13:15
Last modified 22-06-2021 - 15:45
Back to Top