Vulnerabilities > CVE-2020-14359 - Authentication Bypass by Primary Weakness vulnerability in Redhat Louketo Proxy

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

low complexity

redhat

CWE-305

NVD

Published: 2021-02-23

Updated: 2022-08-10

Summary

A vulnerability was found in all versions of Keycloak Gatekeeper, where on using lower case HTTP headers (via cURL) an attacker can bypass our Gatekeeper. Lower case headers are also accepted by some webservers (e.g. Jetty). This means there is no protection when we put a Gatekeeper in front of a Jetty server and use lowercase headers.

Vulnerable Configurations

Part	Description	Count
Application	Redhat Redhat Louketo Proxy *	1

Common Weakness Enumeration (CWE)

CWE-305 - Authentication Bypass by Primary Weakness

References

https://issues.jboss.org/browse/KEYCLOAK-14090
https://bugzilla.redhat.com/show_bug.cgi?id=1868591