A vulnerability was found in keycloak, where on using lower case HTTP headers (via cURL) we can bypass our Gatekeeper. Lower case headers are also accepted by some webservers (e.g. Jetty). This means there is no protection when we put a Gatekeeper in front of a Jetty server and use lowercase headers. References: https://issues.jboss.org/browse/KEYCLOAK-14090
Acknowledgments: Name: Mathijs Hondshorst and Erwin Rooijakkers (Mediquest)
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-14359