Problem description

jwt-auth The plug-in has the security problem of divulging the user's secret key , Because from the dependent Library lua-resty-jwt The returned error message contains sensitive information .

Affects version

Apache APISIX 2.13.0 And all previous versions

Solution

1. Please upgrade to... Now Apache APISIX 2.13.1 And above .

2. If it is not convenient to update the version , Please be there. Apache APISIX Install the corresponding version of the patch package on , Implement refactoring , To bypass the vulnerability （ After the patch package is installed and takes effect , The error message received by the caller will be the repaired error message , No more sensitive information ）.

The following patches apply to LTS 2.13.x Or major version ：

• https://github.com/apache/apisix/pull/6846
• https://github.com/apache/apisix/pull/6847
• https://github.com/apache/apisix/pull/6858

The following patches apply to the latest LTS 2.10.x edition ：

• https://github.com/apache/apisix/pull/6847
• https://github.com/apache/apisix/pull/6855

Vulnerability Details

Vulnerability priority ： emergency

Vulnerability disclosure time ：2022 year 4 month 20 Japan

CVE Details ：https://nvd.nist.gov/vuln/detail/CVE-2022-29266

Contributor profile

The vulnerability is caused by Kingdee software ( China ) Tang Zhongyuan of Co., Ltd 、 Xie Hongfeng and Chen Bing found and reported , Thank you for Apache APISIX Community contribution .