CVE-2022-29266

CWE-2093 documents3 sources
Severity
7.5HIGH
EPSS
35.8%
top 2.92%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache ApisixApache Software Foundation Apache Apisix
Timeline
PublishedApr 20
Latest updateApr 21

Description

In APache APISIX before 3.13.1, the jwt-auth plugin has a security issue that leaks the user's secret key because the error message returned from the dependency lua-resty-jwt contains sensitive information.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

NVDapache/apisix< 2.13.1
CVEListV5apache_software_foundation/apache_apisixApache APISIX2.13.0

🔴Vulnerability Details

2
GHSA
GHSA-x46m-gg6j-22gf: In APache APISIX before 32022-04-21
CVEList
apisix/jwt-auth may leak secrets in error response2022-04-20
CVE-2022-29266 (HIGH CVSS 7.5) | In APache APISIX before 3.13.1 | cvebase.io