In APISIX 2.13.0 and previous versions, there is a problem of information leakage caused by the
jwt- auth plugin has a security problem of leaking the user's secret key because the error message returned from the dependent library
lua-resty-jwt contains sensitive information.
Apache APISIX 2.13.0 and all previous versions
- Please upgrade to Apache APISIX 2.13.1 or above immediately.
- If it is not convenient to update the version, install the corresponding version of the patch on Apache APISIX to implement refactoring to bypass the vulnerability (after the patch is installed and takes effect, the error message received by the caller will be the fixed error message and will no longer contain sensitive information).
The following patches apply to LTS 2.13.x or major versions:
The following patches apply to the latest version of LTS 2.10.x:
Vulnerability public date: April 20, 2022
CVE details: https://nvd.nist.gov/vuln/detail/CVE-2022-29266
The vulnerability was discovered and reported by Tang Zhongyuan, Xie Hongfeng and Chen Bing of Kingdee Software (China). Thank you for your contribution to the Apache APISIX community.