CVE-2020-14359

CVE-2020-14359

Name

CVE-2020-14359

Description

A vulnerability was found in all versions of keycloak, where on using lower case HTTP headers (via cURL) we can bypass our Gatekeeper. Lower case headers are also accepted by some webservers (e.g. Jetty). This means there is no protection when we put a Gatekeeper in front of a Jetty server and use lowercase headers.

NVD Severity

medium

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
Issue Tracking	https://issues.jboss.org/browse/KEYCLOAK-14090
Issue Tracking	https://bugzilla.redhat.com/show_bug.cgi?id=1868591

Type

URI

Issue Tracking

https://issues.jboss.org/browse/KEYCLOAK-14090

Issue Tracking

https://bugzilla.redhat.com/show_bug.cgi?id=1868591

Match rules

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:redhat:keycloak::::::::`	keycloak	== None	== None
`cpe:2.3:a:redhat:louketo_proxy::::::::`	louketo_proxy	== None	== None

CPE URI

Source package

Min version

Max version

cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:*

keycloak

== None

cpe:2.3:a:redhat:louketo_proxy:*:*:*:*:*:*:*:*

louketo_proxy

== None

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
keycloak	3.19-community	23.0.1-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
keycloak	3.20-community	24.0.5-r1	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
keycloak	edge-community	25.0.6-r1	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable

Source package

Branch

Version

Maintainer

Status

keycloak

3.19-community

23.0.1-r0

Jakub Jirutka <jakub@jirutka.cz>

possibly vulnerable

keycloak

3.20-community