CVE-2022-29266

Published: Apr 20, 2022

Modified: Aug 3, 2024

PUBLISHED

Description

In APache APISIX before 3.13.1, the jwt-auth plugin has a security issue that leaks the user's secret key because the error message returned from the dependency lua-resty-jwt contains sensitive information.

Vendor	Product	Versions
Apache Software Foundation	Apache APISIX	affected `Apache APISIX - <= 2.13.0`

Weaknesses (CWE)

CWE-209

References

https://lists.apache.org/thread/6qpfyxogbvn18g9xr8g218jjfjbfsbhr

x_refsource_MISC

[oss-security] 20220420 CVE-2022-29266: Apache APISIX: apisix/jwt-auth may leak secrets in error response

mailing-list

x_refsource_MLIST

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2022-29266

Description

Affected Products

Weaknesses (CWE)

References