CVE-2022-29266

CVE-2022-29266: apisix/jwt-auth may leak secrets in error response

Vendor Apache Software Foundation
Product Apache APISIX
Weakness CWE-209 · Error message info leak
Published April 20, 2022
Last update August 3, 2024

CVSS base score

What the vulnerability does

01Description

In APache APISIX before 3.13.1, the jwt-auth plugin has a security issue that leaks the user's secret key because the error message returned from the dependency lua-resty-jwt contains sensitive information.

Key dates

02Disclosure timeline

April 20, 2022 CVE published
August 3, 2024 Record updated