CVE-2022-29266: apisix/jwt-auth may leak secrets in error response
First published: Wed Apr 20 2022(Updated: )
In APache APISIX before 3.13.1, the jwt-auth plugin has a security issue that leaks the user's secret key because the error message returned from the dependency lua-resty-jwt contains sensitive information.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache APISIX | <2.13.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID for this APache APISIX issue?
The vulnerability ID for this APache APISIX issue is CVE-2022-29266.
What is the severity of CVE-2022-29266?
CVE-2022-29266 has a severity rating of 7.5 (High).
What is the affected software?
The affected software is Apache APISIX version up to and excluding 2.13.1.
What is the security issue in the jwt-auth plugin of APache APISIX?
The security issue in the jwt-auth plugin of Apache APISIX leaks the user's secret key due to the sensitive information in the error message returned from the dependency lua-resty-jwt.
Are there any references related to CVE-2022-29266?
Yes, there are references related to CVE-2022-29266. They can be found at the following links: [Link 1](http://www.openwall.com/lists/oss-security/2022/04/20/1), [Link 2](https://lists.apache.org/thread/6qpfyxogbvn18g9xr8g218jjfjbfsbhr).
- collector/nvd-index
- agent/references
- agent/softwarecombine
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/last-modified-date
- agent/title
- agent/severity
- agent/author
- agent/tags
- agent/first-publish-date
- agent/description
- agent/event
- vendor/apache
- canonical/apache apisix