CVE-2022-29266 - OpenCVE

In APache APISIX before 3.13.1, the jwt-auth plugin has a security issue that leaks the user's secret key because the error message returned from the dependency lua-resty-jwt contains sensitive information.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Apisix

Configuration 1 [-]

cpe:2.3:a:apache:apisix:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2022/04/20/1
https://lists.apache.org/thread/6qpfyxogbvn18g9xr8g218jjfjbfsbhr

History

No history.

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2022-04-20T07:15:13

Updated: 2024-08-03T06:17:54.494Z

Reserved: 2022-04-15T00:00:00

Link: CVE-2022-29266

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-04-20T08:15:07.740

Modified: 2022-04-29T23:38:22.927

Link: CVE-2022-29266

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Apache APISIX", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "2.13.0", "status": "affected", "version": "Apache APISIX", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Discovered and reported by a team from Kingdee Software (China) Ltd. consisting of Zhongyuan Tang, Hongfeng Xie, and Bing Chen."}], "descriptions": [{"lang": "en", "value": "In APache APISIX before 3.13.1, the jwt-auth plugin has a security issue that leaks the user's secret key because the error message returned from the dependency lua-resty-jwt contains sensitive information."}], "metrics": [{"other": {"content": {"other": "critical"}, "type": "unknown"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-209", "description": "CWE-209 Generation of Error Message Containing Sensitive Information", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-04-25T12:10:09", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://lists.apache.org/thread/6qpfyxogbvn18g9xr8g218jjfjbfsbhr"}, {"name": "[oss-security] 20220420 CVE-2022-29266: Apache APISIX: apisix/jwt-auth may leak secrets in error response", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2022/04/20/1"}], "source": {"discovery": "UNKNOWN"}, "title": "apisix/jwt-auth may leak secrets in error response", "workarounds": [{"lang": "en", "value": "1. Upgrade to 2.13.1 and above\n\n2. Apply the following patch to Apache APISIX and rebuild it:\nThis will make this error message no longer contain sensitive information and return a fixed error message to the caller.\nFor the current LTS 2.13.x or master:\nhttps://github.com/apache/apisix/pull/6846\nhttps://github.com/apache/apisix/pull/6847\nhttps://github.com/apache/apisix/pull/6858\nFor the last LTS 2.10.x:\nhttps://github.com/apache/apisix/pull/6847\nhttps://github.com/apache/apisix/pull/6855\n\n3. Manually modify the version you are using according to the commit above and rebuild it to circumvent the vulnerability."}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2022-29266", "STATE": "PUBLIC", "TITLE": "apisix/jwt-auth may leak secrets in error response"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache APISIX", "version": {"version_data": [{"version_affected": "<=", "version_name": "Apache APISIX", "version_value": "2.13.0"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "credit": [{"lang": "eng", "value": "Discovered and reported by a team from Kingdee Software (China) Ltd. consisting of Zhongyuan Tang, Hongfeng Xie, and Bing Chen."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In APache APISIX before 3.13.1, the jwt-auth plugin has a security issue that leaks the user's secret key because the error message returned from the dependency lua-resty-jwt contains sensitive information."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": [{"other": "critical"}], "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-209 Generation of Error Message Containing Sensitive Information"}]}]}, "references": {"reference_data": [{"name": "https://lists.apache.org/thread/6qpfyxogbvn18g9xr8g218jjfjbfsbhr", "refsource": "MISC", "url": "https://lists.apache.org/thread/6qpfyxogbvn18g9xr8g218jjfjbfsbhr"}, {"name": "[oss-security] 20220420 CVE-2022-29266: Apache APISIX: apisix/jwt-auth may leak secrets in error response", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2022/04/20/1"}]}, "source": {"discovery": "UNKNOWN"}, "work_around": [{"lang": "en", "value": "1. Upgrade to 2.13.1 and above\n\n2. Apply the following patch to Apache APISIX and rebuild it:\nThis will make this error message no longer contain sensitive information and return a fixed error message to the caller.\nFor the current LTS 2.13.x or master:\nhttps://github.com/apache/apisix/pull/6846\nhttps://github.com/apache/apisix/pull/6847\nhttps://github.com/apache/apisix/pull/6858\nFor the last LTS 2.10.x:\nhttps://github.com/apache/apisix/pull/6847\nhttps://github.com/apache/apisix/pull/6855\n\n3. Manually modify the version you are using according to the commit above and rebuild it to circumvent the vulnerability."}]}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T06:17:54.494Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://lists.apache.org/thread/6qpfyxogbvn18g9xr8g218jjfjbfsbhr"}, {"name": "[oss-security] 20220420 CVE-2022-29266: Apache APISIX: apisix/jwt-auth may leak secrets in error response", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2022/04/20/1"}]}]}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2022-29266", "datePublished": "2022-04-20T07:15:13", "dateReserved": "2022-04-15T00:00:00", "dateUpdated": "2024-08-03T06:17:54.494Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:apisix:*:*:*:*:*:*:*:*", "matchCriteriaId": "6A600F23-66CB-47A8-866E-B147690058E5", "versionEndExcluding": "2.13.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In APache APISIX before 3.13.1, the jwt-auth plugin has a security issue that leaks the user's secret key because the error message returned from the dependency lua-resty-jwt contains sensitive information."}, {"lang": "es", "value": "En APache APISIX antes de la versi\u00f3n 3.13.1, el plugin jwt-auth tiene un problema de seguridad que filtra la clave secreta del usuario porque el mensaje de error devuelto por la dependencia lua-resty-jwt contiene informaci\u00f3n sensible"}], "id": "CVE-2022-29266", "lastModified": "2022-04-29T23:38:22.927", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-04-20T08:15:07.740", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2022/04/20/1"}, {"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/6qpfyxogbvn18g9xr8g218jjfjbfsbhr"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-209"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-209"}], "source": "security@apache.org", "type": "Secondary"}]}