You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2022/04/24 02:50:12 UTC

[GitHub] [apisix-website] SylviaBABY opened a new pull request, #1051: docs: add CVE-2022-29266 post

SylviaBABY opened a new pull request, #1051:
URL: https://github.com/apache/apisix-website/pull/1051

   Changes:
   
   add CVE-2022-29266 post
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix-website] hf400159 commented on a diff in pull request #1051: docs: add CVE-2022-29266 post

Posted by GitBox <gi...@apache.org>.

hf400159 commented on code in PR #1051:
URL: https://github.com/apache/apisix-website/pull/1051#discussion_r857059870


##########
website/i18n/zh/docusaurus-plugin-content-blog/2022/04/20/cve-2022-29266.md:
##########
@@ -0,0 +1,50 @@
+---
+title: "APISIX jwt-auth 插件存在错误响应中泄露信息的风险公告（CVE-2022-29266）"
+keywords: 
+- 风险公告
+- jwt-auth
+- 错误响应
+- 漏洞补丁
+description: 在 APISIX 2.13.1 及之前版本中，存在因 `jwt-auth` 插件引起的信息泄漏问题，现将处理信息进行相关公告。

Review Comment:
   ```suggestion
   description: 在 APISIX 2.13.0 及之前版本中，存在因 `jwt-auth` 插件引起的信息泄漏问题，现将处理信息进行相关公告。
   ```



##########
website/i18n/zh/docusaurus-plugin-content-blog/2022/04/20/cve-2022-29266.md:
##########
@@ -0,0 +1,50 @@
+---
+title: "APISIX jwt-auth 插件存在错误响应中泄露信息的风险公告（CVE-2022-29266）"
+keywords: 
+- 风险公告
+- jwt-auth
+- 错误响应
+- 漏洞补丁
+description: 在 APISIX 2.13.1 及之前版本中，存在因 `jwt-auth` 插件引起的信息泄漏问题，现将处理信息进行相关公告。
+tags: [Security]
+---
+
+> 在 APISIX 2.13.1 及之前版本中，存在因 `jwt-auth` 插件引起的信息泄漏问题，现将处理信息进行相关公告。

Review Comment:
   ditto



##########
website/i18n/zh/docusaurus-plugin-content-blog/2022/04/20/cve-2022-29266.md:
##########
@@ -0,0 +1,50 @@
+---
+title: "APISIX jwt-auth 插件存在错误响应中泄露信息的风险公告（CVE-2022-29266）"
+keywords: 
+- 风险公告
+- jwt-auth
+- 错误响应
+- 漏洞补丁
+description: 在 APISIX 2.13.1 及之前版本中，存在因 `jwt-auth` 插件引起的信息泄漏问题，现将处理信息进行相关公告。
+tags: [Security]
+---
+
+> 在 APISIX 2.13.1 及之前版本中，存在因 `jwt-auth` 插件引起的信息泄漏问题，现将处理信息进行相关公告。
+
+<!--truncate-->
+
+## 问题描述
+
+`jwt-auth` 插件存在泄露用户秘钥的安全问题，因为从依赖库 lua-resty-jwt 返回的错误信息中包含敏感信息。

Review Comment:
   ```suggestion
   `jwt-auth` 插件存在泄露用户秘钥的安全问题，因为从依赖库 `lua-resty-jwt` 返回的错误信息中包含敏感信息。
   ```



##########
website/blog/2022/04/20/cve-2022-29266.md:
##########
@@ -0,0 +1,51 @@
+---
+title: "The Vulnerability of Leaking Information in Error Response from jwt-auth Plugin（CVE-2022-29266）"
+keywords: 
+- Vulnerability
+- jwt-auth
+- Error Response
+description: In APISIX 2.13.1 and previous versions, there is a problem of information leakage caused by the `jwt- auth` plug-in.
+tags: [Security]
+---
+
+> In APISIX 2.13.1 and previous versions, there is a problem of information leakage caused by the `jwt- auth` plug-in.
+
+<!--truncate-->
+
+## Problem Description
+
+The `jwt- auth` plug-in has a security problem of leaking the user's secret key because the error message returned from the dependent library lua-resty-jwt contains sensitive information.

Review Comment:
   ```suggestion
   The `jwt- auth` Plugin has a security problem of leaking the user's secret key because the error message returned from the dependent library `lua-resty-jwt` contains sensitive information.
   ```



##########
website/blog/2022/04/20/cve-2022-29266.md:
##########
@@ -0,0 +1,51 @@
+---
+title: "The Vulnerability of Leaking Information in Error Response from jwt-auth Plugin（CVE-2022-29266）"
+keywords: 
+- Vulnerability
+- jwt-auth
+- Error Response
+description: In APISIX 2.13.1 and previous versions, there is a problem of information leakage caused by the `jwt- auth` plug-in.

Review Comment:
   ```suggestion
   description: In APISIX 2.13.0 and previous versions, there is a problem of information leakage caused by the `jwt- auth` plug-in.
   ```



##########
website/blog/2022/04/20/cve-2022-29266.md:
##########
@@ -0,0 +1,51 @@
+---
+title: "The Vulnerability of Leaking Information in Error Response from jwt-auth Plugin（CVE-2022-29266）"
+keywords: 
+- Vulnerability
+- jwt-auth
+- Error Response
+description: In APISIX 2.13.1 and previous versions, there is a problem of information leakage caused by the `jwt- auth` plug-in.
+tags: [Security]
+---
+
+> In APISIX 2.13.1 and previous versions, there is a problem of information leakage caused by the `jwt- auth` plug-in.

Review Comment:
   ```suggestion
   > In APISIX 2.13.0 and previous versions, there is a problem of information leakage caused by the `jwt- auth` plug-in.
   ```



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix-website] netlify[bot] commented on pull request #1051: docs: add CVE-2022-29266 post

Posted by GitBox <gi...@apache.org>.

netlify[bot] commented on PR #1051:
URL: https://github.com/apache/apisix-website/pull/1051#issuecomment-1107691830

   ### <span aria-hidden="true">👷</span> Deploy Preview for *apache-apisix* processing.
   
   
   |  Name | Link |
   |---------------------------------|------------------------|
   |<span aria-hidden="true">🔨</span> Latest commit | acca328c84c973e25256f0200f2fe8ec927be6d6 |
   |<span aria-hidden="true">🔍</span> Latest deploy log | https://app.netlify.com/sites/apache-apisix/deploys/6264bae4371efe0008aa9c68 |


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix-website] juzhiyuan merged pull request #1051: docs: add CVE-2022-29266 post

Posted by GitBox <gi...@apache.org>.

juzhiyuan merged PR #1051:
URL: https://github.com/apache/apisix-website/pull/1051


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org