You are viewing a plain text version of this content. The canonical link for it is here.

Posted to announce@apache.org by Zeping Bai <bz...@apache.org> on 2022/04/20 03:40:37 UTC

CVE-2022-29266: Apache APISIX: apisix/jwt-auth may leak secrets in error response

Severity: critical

Description:

An attacker can obtain a plugin-configured secret via an error message response by sending an incorrect JSON Web Token to a route protected by the jwt-auth plugin.
The error logic in the dependency library lua-resty-jwt enables sending an RS256 token to an endpoint that requires an HS256 token, with the original secret value included in the error response.

Mitigation:

1. Upgrade to 2.13.1 and above

2. Apply the following patch to Apache APISIX and rebuild it:
This will make this error message no longer contain sensitive information and return a fixed error message to the caller.
For the current LTS 2.13.x or master:
https://github.com/apache/apisix/pull/6846
https://github.com/apache/apisix/pull/6847
https://github.com/apache/apisix/pull/6858
For the last LTS 2.10.x:
https://github.com/apache/apisix/pull/6847
https://github.com/apache/apisix/pull/6855

3. Manually modify the version you are using according to the commit above and rebuild it to circumvent the vulnerability.

Credit:

Discovered and reported by a team from Kingdee Software (China) Ltd. consisting of Zhongyuan Tang, Hongfeng Xie, and Bing Chen.