In 2.13.0 and previous versions, there is a problem of information leakage caused by the
jwt- authplugin.
Problem Description
The jwt- auth plugin has a security problem of leaking the user's secret key because the error message returned from the dependent library lua-resty-jwt contains sensitive information.
Affected Versions
Apache 2.13.0 and all previous versions
Solution
- Please upgrade to Apache 2.13.1 or above immediately.
- If it is not convenient to update the version, install the corresponding version of the patch on Apache to implement refactoring to bypass the vulnerability (after the patch is installed and takes effect, the error message received by the caller will be the fixed error message and will no longer contain sensitive information).
The following patches apply to LTS 2.13.x or major versions:
- https://github.com/apache//pull/6846
- https://github.com/apache//pull/6847
- https://github.com/apache//pull/6858
The following patches apply to the latest version of LTS 2.10.x:
- https://github.com/apache//pull/6847
- https://github.com/apache//pull/6855
Vulnerability details
Severity:Urgent
Vulnerability public date: April 20, 2022
CVE details: https://nvd.nist.gov/vuln/detail/CVE-2022-29266
Contributor Profile
The vulnerability was discovered and reported by Tang Zhongyuan, Xie Hongfeng and Chen Bing of Kingdee Software (China). Thank you for your contribution to the Apache community.