CVE-2022-29266
N/A
Summary
In APache APISIX before 3.13.1, the jwt-auth plugin has a security issue that leaks the user's secret key because the error message returned from the dependency lua-resty-jwt contains sensitive information.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Apache Software Foundation | Apache APISIX | Apache APISIX <= 2.13.0 | affected |
Weaknesses
- CWE-209: CWE-209 Generation of Error Message Containing Sensitive Information
Workarounds
Upgrade to 2.13.1 and above
Apply the following patch to Apache APISIX and rebuild it: This will make this error message no longer contain sensitive information and return a fixed error message to the caller. For the current LTS 2.13.x or master: https://github.com/apache/apisix/pull/6846 https://github.com/apache/apisix/pull/6847 https://github.com/apache/apisix/pull/6858 For the last LTS 2.10.x: https://github.com/apache/apisix/pull/6847 https://github.com/apache/apisix/pull/6855
Manually modify the version you are using according to the commit above and rebuild it to circumvent the vulnerability.
ADP Enrichment
CVE Program Container
Additional References
- https://lists.apache.org/thread/6qpfyxogbvn18g9xr8g218jjfjbfsbhr
- http://www.openwall.com/lists/oss-security/2022/04/20/1
References
- https://lists.apache.org/thread/6qpfyxogbvn18g9xr8g218jjfjbfsbhr
- http://www.openwall.com/lists/oss-security/2022/04/20/1
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.