CVE-2022-29266

Summary

In APache APISIX before 3.13.1, the jwt-auth plugin has a security issue that leaks the user's secret key because the error message returned from the dependency lua-resty-jwt contains sensitive information.

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache APISIXApache APISIX <= 2.13.0affected

Weaknesses

  • CWE-209: CWE-209 Generation of Error Message Containing Sensitive Information

Workarounds

  1. Upgrade to 2.13.1 and above

  2. Apply the following patch to Apache APISIX and rebuild it: This will make this error message no longer contain sensitive information and return a fixed error message to the caller. For the current LTS 2.13.x or master: https://github.com/apache/apisix/pull/6846 https://github.com/apache/apisix/pull/6847 https://github.com/apache/apisix/pull/6858 For the last LTS 2.10.x: https://github.com/apache/apisix/pull/6847 https://github.com/apache/apisix/pull/6855

  3. Manually modify the version you are using according to the commit above and rebuild it to circumvent the vulnerability.

ADP Enrichment

CVE Program Container

Additional References

References