当前位置:网站首页>API IX JWT auth plug-in has an error. Risk announcement of information disclosure in response (cve-2022-29266)
API IX JWT auth plug-in has an error. Risk announcement of information disclosure in response (cve-2022-29266)
2022-04-23 15:40:00 【ApacheAPISIX】
Problem description
jwt-auth
The plug-in has the security problem of divulging the user's secret key , Because from the dependent Library lua-resty-jwt
The returned error message contains sensitive information .
Affects version
Apache APISIX 2.13.0 And all previous versions
Solution
-
Please upgrade to... Now Apache APISIX 2.13.1 And above .
-
If it is not convenient to update the version , Please be there. Apache APISIX Install the corresponding version of the patch package on , Implement refactoring , To bypass the vulnerability ( After the patch package is installed and takes effect , The error message received by the caller will be the repaired error message , No more sensitive information ).
The following patches apply to LTS 2.13.x Or major version :
- https://github.com/apache/apisix/pull/6846
- https://github.com/apache/apisix/pull/6847
- https://github.com/apache/apisix/pull/6858
The following patches apply to the latest LTS 2.10.x edition :
- https://github.com/apache/apisix/pull/6847
- https://github.com/apache/apisix/pull/6855
Vulnerability Details
Vulnerability priority : emergency
Vulnerability disclosure time :2022 year 4 month 20 Japan
CVE Details :https://nvd.nist.gov/vuln/detail/CVE-2022-29266
Contributor profile
The vulnerability is caused by Kingdee software ( China ) Tang Zhongyuan of Co., Ltd 、 Xie Hongfeng and Chen Bing found and reported , Thank you for Apache APISIX Community contribution .
版权声明
本文为[ApacheAPISIX]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/04/202204231533587450.html
边栏推荐
猜你喜欢
随机推荐
Basic concepts of website construction and management
Explanation of redis database (IV) master-slave replication, sentinel and cluster
What are the mobile app software testing tools? Sharing of third-party software evaluation
Common types of automated testing framework ▏ automated testing is handed over to software evaluation institutions
Squid agent
Upgrade MySQL 5.1 to 5.66
Modèle de Cluster MySQL et scénario d'application
fatal error: torch/extension.h: No such file or directory
什么是CNAS认证?CNAS认可的软件测评中心有哪些?
移动app软件测试工具有哪些?第三方软件测评小编分享
PHP operators
【Leetcode-每日一题】安装栅栏
php类与对象
CAP定理
Demonstration meeting on startup and implementation scheme of swarm intelligence autonomous operation smart farm project
cadence SPB17.4 - Active Class and Subclass
el-tree实现只显示某一级复选框且单选
Temporal model: long-term and short-term memory network (LSTM)
大型互联网为什么禁止ip直连
码住收藏▏软件测试报告模板范文来了