CVE-2022-29266

Name of the Vulnerable Software and Affected Versions Apache APISIX versions prior to 3.13.1

Description The issue is related to the jwt-auth plugin of Apache APISIX, which has a security problem due to insufficient error reporting mechanisms. This can allow a remote attacker to gain unauthorized access to protected information. The error message returned from the lua-resty-jwt dependency contains sensitive information, specifically the user's secret key, when an incorrect JSON Web Token is sent to a protected route. An attacker can exploit this by sending an RS256 token to an endpoint that requires an HS256 token, resulting in the original secret value being included in the error response.

Recommendations For Apache APISIX versions prior to 3.13.1, update to version 3.13.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the jwt-auth plugin or disabling the error message response from the lua-resty-jwt dependency to minimize the risk of exploitation.