hf400159 commented on code in PR #1051: URL: https://github.com/apache/apisix-website/pull/1051#discussion_r857059870
########## website/i18n/zh/docusaurus-plugin-content-blog/2022/04/20/cve-2022-29266.md: ########## @@ -0,0 +1,50 @@ +--- +title: "APISIX jwt-auth 插件存在错误响应中泄露信息的风险公告(CVE-2022-29266)" +keywords: +- 风险公告 +- jwt-auth +- 错误响应 +- 漏洞补丁 +description: 在 APISIX 2.13.1 及之前版本中,存在因 `jwt-auth` 插件引起的信息泄漏问题,现将处理信息进行相关公告。 Review Comment: ```suggestion description: 在 APISIX 2.13.0 及之前版本中,存在因 `jwt-auth` 插件引起的信息泄漏问题,现将处理信息进行相关公告。 ``` ########## website/i18n/zh/docusaurus-plugin-content-blog/2022/04/20/cve-2022-29266.md: ########## @@ -0,0 +1,50 @@ +--- +title: "APISIX jwt-auth 插件存在错误响应中泄露信息的风险公告(CVE-2022-29266)" +keywords: +- 风险公告 +- jwt-auth +- 错误响应 +- 漏洞补丁 +description: 在 APISIX 2.13.1 及之前版本中,存在因 `jwt-auth` 插件引起的信息泄漏问题,现将处理信息进行相关公告。 +tags: [Security] +--- + +> 在 APISIX 2.13.1 及之前版本中,存在因 `jwt-auth` 插件引起的信息泄漏问题,现将处理信息进行相关公告。 Review Comment: ditto ########## website/i18n/zh/docusaurus-plugin-content-blog/2022/04/20/cve-2022-29266.md: ########## @@ -0,0 +1,50 @@ +--- +title: "APISIX jwt-auth 插件存在错误响应中泄露信息的风险公告(CVE-2022-29266)" +keywords: +- 风险公告 +- jwt-auth +- 错误响应 +- 漏洞补丁 +description: 在 APISIX 2.13.1 及之前版本中,存在因 `jwt-auth` 插件引起的信息泄漏问题,现将处理信息进行相关公告。 +tags: [Security] +--- + +> 在 APISIX 2.13.1 及之前版本中,存在因 `jwt-auth` 插件引起的信息泄漏问题,现将处理信息进行相关公告。 + +<!--truncate--> + +## 问题描述 + +`jwt-auth` 插件存在泄露用户秘钥的安全问题,因为从依赖库 lua-resty-jwt 返回的错误信息中包含敏感信息。 Review Comment: ```suggestion `jwt-auth` 插件存在泄露用户秘钥的安全问题,因为从依赖库 `lua-resty-jwt` 返回的错误信息中包含敏感信息。 ``` ########## website/blog/2022/04/20/cve-2022-29266.md: ########## @@ -0,0 +1,51 @@ +--- +title: "The Vulnerability of Leaking Information in Error Response from jwt-auth Plugin(CVE-2022-29266)" +keywords: +- Vulnerability +- jwt-auth +- Error Response +description: In APISIX 2.13.1 and previous versions, there is a problem of information leakage caused by the `jwt- auth` plug-in. +tags: [Security] +--- + +> In APISIX 2.13.1 and previous versions, there is a problem of information leakage caused by the `jwt- auth` plug-in. + +<!--truncate--> + +## Problem Description + +The `jwt- auth` plug-in has a security problem of leaking the user's secret key because the error message returned from the dependent library lua-resty-jwt contains sensitive information. Review Comment: ```suggestion The `jwt- auth` Plugin has a security problem of leaking the user's secret key because the error message returned from the dependent library `lua-resty-jwt` contains sensitive information. ``` ########## website/blog/2022/04/20/cve-2022-29266.md: ########## @@ -0,0 +1,51 @@ +--- +title: "The Vulnerability of Leaking Information in Error Response from jwt-auth Plugin(CVE-2022-29266)" +keywords: +- Vulnerability +- jwt-auth +- Error Response +description: In APISIX 2.13.1 and previous versions, there is a problem of information leakage caused by the `jwt- auth` plug-in. Review Comment: ```suggestion description: In APISIX 2.13.0 and previous versions, there is a problem of information leakage caused by the `jwt- auth` plug-in. ``` ########## website/blog/2022/04/20/cve-2022-29266.md: ########## @@ -0,0 +1,51 @@ +--- +title: "The Vulnerability of Leaking Information in Error Response from jwt-auth Plugin(CVE-2022-29266)" +keywords: +- Vulnerability +- jwt-auth +- Error Response +description: In APISIX 2.13.1 and previous versions, there is a problem of information leakage caused by the `jwt- auth` plug-in. +tags: [Security] +--- + +> In APISIX 2.13.1 and previous versions, there is a problem of information leakage caused by the `jwt- auth` plug-in. Review Comment: ```suggestion > In APISIX 2.13.0 and previous versions, there is a problem of information leakage caused by the `jwt- auth` plug-in. ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
