A vulnerability was found in all versions of the deprecated package Keycloak Gatekeeper, where on using lower case HTTP headers (via cURL) we can bypass our Gatekeeper. Lower case headers are also accepted by some webservers (e.g. Jetty). This means there is no protection when we put a Gatekeeper in front of a Jetty server and use lowercase headers.

Affected Packages

Go github.com/keycloak/keycloak-gatekeeper

Affected versions: 0 (last affected: 1.2.8)

Related CVEs

CVE-2020-14359

Key Information

GHSA ID

GHSA-jh6m-3pqw-242h

Published

February 9, 2022 12:56 AM

Last Modified

August 12, 2022 8:52 PM

CVSS Score

7.5 /10

Primary Ecosystem

Primary Package

github.com/keycloak/keycloak-gatekeeper

GitHub Reviewed

✓ Yes

Dataset

Last updated: September 23, 2025 6:31 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.