CVE-2022-29266 - Vulnerability Details - OpenCVE

In APache APISIX before 3.13.1, the jwt-auth plugin has a security issue that leaks the user's secret key because the error message returned from the dependency lua-resty-jwt contains sensitive information.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.36449.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Apisix

Configuration 1 [-]

cpe:2.3:a:apache:apisix:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

1. Upgrade to 2.13.1 and above 2. Apply the following patch to Apache APISIX and rebuild it: This will make this error message no longer contain sensitive information and return a fixed error message to the caller. For the current LTS 2.13.x or master: https://github.com/apache/apisix/pull/6846 https://github.com/apache/apisix/pull/6847 https://github.com/apache/apisix/pull/6858 For the last LTS 2.10.x: https://github.com/apache/apisix/pull/6847 https://github.com/apache/apisix/pull/6855 3. Manually modify the version you are using according to the commit above and rebuild it to circumvent the vulnerability.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2022/04/20/1
https://lists.apache.org/thread/6qpfyxogbvn18g9xr8g218jjfjbfsbhr

History

No history.

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2022-04-20T07:15:13

Updated: 2024-08-03T06:17:54.494Z

Reserved: 2022-04-15T00:00:00

Link: CVE-2022-29266

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-04-20T08:15:07.740

Modified: 2024-11-21T06:58:50.163

Link: CVE-2022-29266

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "Apache APISIX", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "2.13.0", "status": "affected", "version": "Apache APISIX", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Discovered and reported by a team from Kingdee Software (China) Ltd. consisting of Zhongyuan Tang, Hongfeng Xie, and Bing Chen."}], "descriptions": [{"lang": "en", "value": "In APache APISIX before 3.13.1, the jwt-auth plugin has a security issue that leaks the user's secret key because the error message returned from the dependency lua-resty-jwt contains sensitive information."}], "metrics": [{"other": {"content": {"other": "critical"}, "type": "unknown"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-209", "description": "CWE-209 Generation of Error Message Containing Sensitive Information", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-04-25T12:10:09", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://lists.apache.org/thread/6qpfyxogbvn18g9xr8g218jjfjbfsbhr"}, {"name": "[oss-security] 20220420 CVE-2022-29266: Apache APISIX: apisix/jwt-auth may leak secrets in error response", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2022/04/20/1"}], "source": {"discovery": "UNKNOWN"}, "title": "apisix/jwt-auth may leak secrets in error response", "workarounds": [{"lang": "en", "value": "1. Upgrade to 2.13.1 and above\n\n2. Apply the following patch to Apache APISIX and rebuild it:\nThis will make this error message no longer contain sensitive information and return a fixed error message to the caller.\nFor the current LTS 2.13.x or master:\nhttps://github.com/apache/apisix/pull/6846\nhttps://github.com/apache/apisix/pull/6847\nhttps://github.com/apache/apisix/pull/6858\nFor the last LTS 2.10.x:\nhttps://github.com/apache/apisix/pull/6847\nhttps://github.com/apache/apisix/pull/6855\n\n3. Manually modify the version you are using according to the commit above and rebuild it to circumvent the vulnerability."}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2022-29266", "STATE": "PUBLIC", "TITLE": "apisix/jwt-auth may leak secrets in error response"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache APISIX", "version": {"version_data": [{"version_affected": "<=", "version_name": "Apache APISIX", "version_value": "2.13.0"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "credit": [{"lang": "eng", "value": "Discovered and reported by a team from Kingdee Software (China) Ltd. consisting of Zhongyuan Tang, Hongfeng Xie, and Bing Chen."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In APache APISIX before 3.13.1, the jwt-auth plugin has a security issue that leaks the user's secret key because the error message returned from the dependency lua-resty-jwt contains sensitive information."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": [{"other": "critical"}], "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-209 Generation of Error Message Containing Sensitive Information"}]}]}, "references": {"reference_data": [{"name": "https://lists.apache.org/thread/6qpfyxogbvn18g9xr8g218jjfjbfsbhr", "refsource": "MISC", "url": "https://lists.apache.org/thread/6qpfyxogbvn18g9xr8g218jjfjbfsbhr"}, {"name": "[oss-security] 20220420 CVE-2022-29266: Apache APISIX: apisix/jwt-auth may leak secrets in error response", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2022/04/20/1"}]}, "source": {"discovery": "UNKNOWN"}, "work_around": [{"lang": "en", "value": "1. Upgrade to 2.13.1 and above\n\n2. Apply the following patch to Apache APISIX and rebuild it:\nThis will make this error message no longer contain sensitive information and return a fixed error message to the caller.\nFor the current LTS 2.13.x or master:\nhttps://github.com/apache/apisix/pull/6846\nhttps://github.com/apache/apisix/pull/6847\nhttps://github.com/apache/apisix/pull/6858\nFor the last LTS 2.10.x:\nhttps://github.com/apache/apisix/pull/6847\nhttps://github.com/apache/apisix/pull/6855\n\n3. Manually modify the version you are using according to the commit above and rebuild it to circumvent the vulnerability."}]}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T06:17:54.494Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://lists.apache.org/thread/6qpfyxogbvn18g9xr8g218jjfjbfsbhr"}, {"name": "[oss-security] 20220420 CVE-2022-29266: Apache APISIX: apisix/jwt-auth may leak secrets in error response", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2022/04/20/1"}]}]}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2022-29266", "datePublished": "2022-04-20T07:15:13", "dateReserved": "2022-04-15T00:00:00", "dateUpdated": "2024-08-03T06:17:54.494Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:apisix:*:*:*:*:*:*:*:*", "matchCriteriaId": "6A600F23-66CB-47A8-866E-B147690058E5", "versionEndExcluding": "2.13.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In APache APISIX before 3.13.1, the jwt-auth plugin has a security issue that leaks the user's secret key because the error message returned from the dependency lua-resty-jwt contains sensitive information."}, {"lang": "es", "value": "En APache APISIX antes de la versi\u00f3n 3.13.1, el plugin jwt-auth tiene un problema de seguridad que filtra la clave secreta del usuario porque el mensaje de error devuelto por la dependencia lua-resty-jwt contiene informaci\u00f3n sensible"}], "id": "CVE-2022-29266", "lastModified": "2024-11-21T06:58:50.163", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-04-20T08:15:07.740", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2022/04/20/1"}, {"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/6qpfyxogbvn18g9xr8g218jjfjbfsbhr"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2022/04/20/1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/6qpfyxogbvn18g9xr8g218jjfjbfsbhr"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-209"}], "source": "security@apache.org", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-209"}], "source": "nvd@nist.gov", "type": "Primary"}]}