Описание
A flaw was found in Keycloak. The Keycloak Authorization header parser is overly permissive regarding the formatting of the "Bearer" authentication scheme. It accepts non-standard characters (such as tabs) as separators and tolerates case variations that deviate from RFC 6750 specifications.
Отчет
This vulnerability is rated Moderate for Red Hat because Keycloak's excessive tolerance for non-standard Bearer token formats in the Authorization header can lead to inconsistencies with front-end security controls such as WAFs and proxies. This may enable potential bypass risks, allowing malformed tokens to circumvent intended security policies.
Меры по смягчению последствий
To mitigate this issue, configure any front-end security controls, such as Web Application Firewalls (WAFs) or reverse proxies, to strictly validate and normalize the Authorization header before forwarding requests to Keycloak. This ensures that only standard Bearer token formats are processed, preventing potential bypasses.
Дополнительная информация
Статус:
EPSS
5.3 Medium
CVSS3
Связанные уязвимости
A flaw was found in Keycloak. The Keycloak Authorization header parser is overly permissive regarding the formatting of the "Bearer" authentication scheme. It accepts non-standard characters (such as tabs) as separators and tolerates case variations that deviate from RFC 6750 specifications.
A flaw was found in Keycloak. The Keycloak Authorization header parser ...
Keycloak has Incorrect Behavior Order: Authorization Before Parsing and Canonicalization
EPSS
5.3 Medium
CVSS3