CVE-2020-14359 – CVE-2020-14359 is an authentication bypass vuln... (How to Fix)

Q: What is the severity of CVE-2020-14359?

CVE-2020-14359 has a CVSS score of 7.3 (HIGH). CVE-2020-14359 is an authentication bypass vulnerability in Keycloak Gatekeeper where attackers can bypass security protections by using lowercase HTTP headers instead of standard case-sensitive headers. This affects all versions of Keycloak Gatekeeper when deployed in front of web servers like Jetty that accept lowercase headers. The vulnerability allows unauthorized access to protected resources.

📋 TL;DR

CVE-2020-14359 is an authentication bypass vulnerability in Keycloak Gatekeeper where attackers can bypass security protections by using lowercase HTTP headers instead of standard case-sensitive headers. This affects all versions of Keycloak Gatekeeper when deployed in front of web servers like Jetty that accept lowercase headers. The vulnerability allows unauthorized access to protected resources.

💻 Affected Systems

Products:

Keycloak Gatekeeper

Versions: All versions prior to patched versions

Operating Systems: All operating systems running Keycloak Gatekeeper

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability specifically affects deployments where Gatekeeper is used with web servers that accept lowercase HTTP headers (like Jetty).

📦 What is this software?

Louketo Proxy by Redhat

View all CVEs affecting Louketo Proxy →

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete authentication bypass allowing unauthorized access to all protected resources behind Gatekeeper, potentially leading to data exposure, privilege escalation, or system compromise.

🟠

Likely Case

Unauthorized access to protected applications and APIs, potentially exposing sensitive data or functionality to unauthenticated users.

🟢

If Mitigated

No impact if Gatekeeper is patched or workarounds are implemented to enforce case-sensitive header validation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending HTTP requests with lowercase headers to bypass Gatekeeper authentication checks.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Keycloak Gatekeeper versions with fixes applied (check specific vendor releases)

Vendor Advisory: https://access.redhat.com/security/cve/cve-2020-14359

Restart Required: Yes

Instructions:

1. Update Keycloak Gatekeeper to patched version. 2. Restart Gatekeeper service. 3. Verify case-sensitive header validation is enforced.

🔧 Temporary Workarounds

Configure web server to reject lowercase headers

all

Configure upstream web servers (like Jetty) to reject HTTP requests with lowercase headers, forcing clients to use proper case-sensitive headers.

# Jetty configuration example: Set header case sensitivity in jetty.xml or web.xml

Use reverse proxy with header normalization

all

Deploy a reverse proxy (like nginx or Apache) in front of Gatekeeper that normalizes HTTP headers to proper case before passing to Gatekeeper.

# nginx example: add_header normalization rules in nginx.conf

🧯 If You Can't Patch

Implement network segmentation to isolate Gatekeeper-protected resources from untrusted networks
Deploy additional authentication layers or Web Application Firewall (WAF) with header validation rules

🔍 How to Verify

Check if Vulnerable:

Test by sending HTTP requests with lowercase headers (e.g., 'authorization' instead of 'Authorization') to protected endpoints and checking if access is granted without proper authentication.

Check Version:

keycloak-gatekeeper --version

Verify Fix Applied:

After patching, repeat the lowercase header test - requests should be rejected or properly authenticated. Check Gatekeeper logs for proper header validation.

📡 Detection & Monitoring

Log Indicators:

Gatekeeper logs showing authentication bypass with lowercase headers
Access logs showing successful requests with non-standard header casing

Network Indicators:

HTTP traffic with lowercase authorization/authentication headers
Unusual authentication patterns from single sources

SIEM Query:

source="gatekeeper" AND (header_case="lower" OR auth_bypass="true")

📊 Metadata

CVE ID: CVE-2020-14359

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-305

Published: February 23, 2021

Last Updated: November 21, 2024

🔗 References

https://bugzilla.redhat.com/show_bug.cgi?id=1868591 Issue Tracking,Vendor Advisory
https://issues.jboss.org/browse/KEYCLOAK-14090 Issue Tracking,Permissions Required,Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1868591 Issue Tracking,Vendor Advisory
https://issues.jboss.org/browse/KEYCLOAK-14090 Issue Tracking,Permissions Required,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-14359, you might also want to check these: