当前位置:网站首页>API IX JWT auth plug-in has an error. Risk announcement of information disclosure in response (cve-2022-29266)
API IX JWT auth plug-in has an error. Risk announcement of information disclosure in response (cve-2022-29266)
2022-04-23 15:40:00 【ApacheAPISIX】
Problem description
jwt-auth
The plug-in has the security problem of divulging the user's secret key , Because from the dependent Library lua-resty-jwt
The returned error message contains sensitive information .
Affects version
Apache APISIX 2.13.0 And all previous versions
Solution
-
Please upgrade to... Now Apache APISIX 2.13.1 And above .
-
If it is not convenient to update the version , Please be there. Apache APISIX Install the corresponding version of the patch package on , Implement refactoring , To bypass the vulnerability ( After the patch package is installed and takes effect , The error message received by the caller will be the repaired error message , No more sensitive information ).
The following patches apply to LTS 2.13.x Or major version :
- https://github.com/apache/apisix/pull/6846
- https://github.com/apache/apisix/pull/6847
- https://github.com/apache/apisix/pull/6858
The following patches apply to the latest LTS 2.10.x edition :
- https://github.com/apache/apisix/pull/6847
- https://github.com/apache/apisix/pull/6855
Vulnerability Details
Vulnerability priority : emergency
Vulnerability disclosure time :2022 year 4 month 20 Japan
CVE Details :https://nvd.nist.gov/vuln/detail/CVE-2022-29266
Contributor profile
The vulnerability is caused by Kingdee software ( China ) Tang Zhongyuan of Co., Ltd 、 Xie Hongfeng and Chen Bing found and reported , Thank you for Apache APISIX Community contribution .
版权声明
本文为[ApacheAPISIX]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/04/202204231533587450.html
边栏推荐
- Openstack command operation
- ICE -- 源码分析
- c语言---指针进阶
- GFS distributed file system (Theory)
- What role does the software performance test report play? How much is the third-party test report charged?
- Functions (Part I)
- 通过 PDO ODBC 将 PHP 连接到 MSSQL
- Mysql database explanation (8)
- [leetcode daily question] install fence
- 控制结构(二)
猜你喜欢
随机推荐
Go并发和通道
The El tree implementation only displays a certain level of check boxes and selects radio
PHP 的运算符
Date date calculation in shell script
计算某字符出现次数
软件性能测试报告起着什么作用?第三方测试报告如何收费?
Today's sleep quality record 76 points
大型互联网为什么禁止ip直连
Load Balancer
推荐搜索 常用评价指标
Upgrade MySQL 5.1 to 5.66
携号转网最大赢家是中国电信,为何人们嫌弃中国移动和中国联通?
北京某信护网蓝队面试题目
IronPDF for . NET 2022.4.5455
Connect PHP to MSSQL via PDO ODBC
【Leetcode-每日一题】安装栅栏
Advantages, disadvantages and selection of activation function
Cookie&Session
Node. JS ODBC connection PostgreSQL
Upgrade MySQL 5.1 to 5.611