A vulnerability was found in keycloak, where on using lower case HTTP headers (via cURL) a Gatekeeper can be bypassed. Lower case headers are also accepted by some webservers (e.g. Jetty). This means there is no protection when putting a Gatekeeper in front of a Jetty server and using lowercase headers.
A vulnerability was found in keycloak, where on using lower case HTTP headers (via cURL) a Gatekeeper can be bypassed. Lower case headers are also accepted by some webservers (e.g. Jetty). This means there is no protection when putting a Gatekeeper in front of a Jetty server and using lowercase headers.
https://bugzilla.redhat.com/show_bug.cgi?id=1868591 https://issues.jboss.org/browse/KEYCLOAK-14090