当前位置：网站首页>API IX JWT auth plug-in has an error. Risk announcement of information disclosure in response (cve-2022-29266)

API IX JWT auth plug-in has an error. Risk announcement of information disclosure in response (cve-2022-29266)

2022-04-23 01:02:00 【InfoQ】

Problem description

The plug-in has the security problem of divulging the user's secret key , The reason is from the dependency Library

lua-resty-jwt

The error information returned in contains sensitive information .

Affects version

Apache APISIX 2.13.0 And all previous versions

Solution

Please upgrade to... Now Apache APISIX 2.13.1 And above .

If it is not convenient to update the version , Please be there. Apache APISIX Install the corresponding version of the patch package on , Implement refactoring , To bypass the vulnerability （ After the patch package is installed and takes effect , The error message received by the caller will be the repaired error message , No more sensitive information ）.

The following patches apply to LTS 2.13.x Or major version ：

https://github.com/apache/apisix/pull/6846

https://github.com/apache/apisix/pull/6847

https://github.com/apache/apisix/pull/6858

The following patches apply to the latest LTS 2.10.x edition ：

https://github.com/apache/apisix/pull/6847

https://github.com/apache/apisix/pull/6855

Vulnerability Details

Vulnerability priority ： emergency

Vulnerability disclosure time ：2022 year 4 month 20 Japan

CVE Details ：

https://nvd.nist.gov/vuln/detail/CVE-2022-29266

Contributor profile

The vulnerability is caused by Kingdee software ( China ) Tang Zhongyuan of Co., Ltd 、 Xie Hongfeng and Chen Bing found and reported , Thank you for Apache APISIX Community contribution .