This is an automated email from the ASF dual-hosted git repository.
juzhiyuan pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix-website.git
The following commit(s) were added to refs/heads/master by this push:
new 294f0481838 docs: add CVE-2022-29266 post (#1051)
294f0481838 is described below
commit 294f0481838004237a072ac4bc9bf029d316508a
Author: Sylvia <39793568+sylviab...@users.noreply.github.com>
AuthorDate: Sun Apr 24 15:03:39 2022 +0800
docs: add CVE-2022-29266 post (#1051)
---
website/blog/2022/04/20/cve-2022-29266.md | 51 ++++++++++++++++++++++
.../2022/04/20/cve-2022-29266.md | 50 +++++++++++++++++++++
2 files changed, 101 insertions(+)
diff --git a/website/blog/2022/04/20/cve-2022-29266.md
b/website/blog/2022/04/20/cve-2022-29266.md
new file mode 100644
index 00000000000..76b1eb45c27
--- /dev/null
+++ b/website/blog/2022/04/20/cve-2022-29266.md
@@ -0,0 +1,51 @@
+---
+title: "The Vulnerability of Leaking Information in Error Response from
jwt-auth Plugin(CVE-2022-29266)"
+keywords:
+- Vulnerability
+- jwt-auth
+- Error Response
+description: In APISIX 2.13.0 and previous versions, there is a problem of
information leakage caused by the `jwt- auth` plugin.
+tags: [Security]
+---
+
+> In APISIX 2.13.0 and previous versions, there is a problem of information
leakage caused by the `jwt- auth` plugin.
+
+<!--truncate-->
+
+## Problem Description
+
+The `jwt- auth` plugin has a security problem of leaking the user's secret key
because the error message returned from the dependent library `lua-resty-jwt`
contains sensitive information.
+
+## Affected Versions
+
+Apache APISIX 2.13.0 and all previous versions
+
+## Solution
+
+1. Please upgrade to Apache APISIX 2.13.1 or above immediately.
+2. If it is not convenient to update the version, install the corresponding
version of the patch on Apache APISIX to implement refactoring to bypass the
vulnerability (after the patch is installed and takes effect, the error message
received by the caller will be the fixed error message and will no longer
contain sensitive information).
+
+The following patches apply to LTS 2.13.x or major versions:
+
+- https://github.com/apache/apisix/pull/6846
+- https://github.com/apache/apisix/pull/6847
+- https://github.com/apache/apisix/pull/6858
+
+The following patches apply to the latest version of LTS 2.10.x:
+
+- https://github.com/apache/apisix/pull/6847
+- https://github.com/apache/apisix/pull/6855
+
+## Vulnerability details
+
+Severity:Urgent
+
+Vulnerability public date: April 20, 2022
+
+CVE details: https://nvd.nist.gov/vuln/detail/CVE-2022-29266
+
+## Contributor Profile
+
+The vulnerability was discovered and reported by Tang Zhongyuan, Xie Hongfeng
and Chen Bing of Kingdee Software (China). Thank you for your contribution to
the Apache APISIX community.
+
+
diff --git
a/website/i18n/zh/docusaurus-plugin-content-blog/2022/04/20/cve-2022-29266.md
b/website/i18n/zh/docusaurus-plugin-content-blog/2022/04/20/cve-2022-29266.md
new file mode 100644
index 00000000000..364aec5897d
--- /dev/null
+++
b/website/i18n/zh/docusaurus-plugin-content-blog/2022/04/20/cve-2022-29266.md
@@ -0,0 +1,50 @@
+---
+title: "APISIX jwt-auth 插件存在错误响应中泄露信息的风险公告(CVE-2022-29266)"
+keywords:
+- 风险公告
+- jwt-auth
+- 错误响应
+- 漏洞补丁
+description: 在 APISIX 2.13.0 及之前版本中,存在因 `jwt-auth` 插件引起的信息泄漏问题,现将处理信息进行相关公告。
+tags: [Security]
+---
+
+> 在 APISIX 2.13.0 及之前版本中,存在因 `jwt-auth` 插件引起的信息泄漏问题,现将处理信息进行相关公告。
+
+<!--truncate-->
+
+## 问题描述
+
+`jwt-auth` 插件存在泄露用户秘钥的安全问题,因为从依赖库 `lua-resty-jwt` 返回的错误信息中包含敏感信息。
+
+## 影响版本
+
+Apache APISIX 2.13.0 及其之前全部版本
+
+## 解决方案
+
+1. 请立即升级至 Apache APISIX 2.13.1 及以上版本。
+2. 如果不方便更新版本,请在 Apache APISIX
上安装对应版本的补丁包,实现重构,以绕过该漏洞(补丁包安装且生效后,调用方接收到的错误信息将为修复后的错误信息,不再包含敏感信息)。
+
+以下补丁包适用于 LTS 2.13.x 或主版本:
+
+- https://github.com/apache/apisix/pull/6846
+- https://github.com/apache/apisix/pull/6847
+- https://github.com/apache/apisix/pull/6858
+
+以下补丁包适用于最新的 LTS 2.10.x 版本:
+
+- https://github.com/apache/apisix/pull/6847
+- https://github.com/apache/apisix/pull/6855
+
+## 漏洞详情
+
+- 漏洞优先级:紧急
+- 漏洞公开时间:2022 年 4 月 20 日
+- CVE 详细信息:https://nvd.nist.gov/vuln/detail/CVE-2022-29266
+
+## 贡献者简介
+
+该漏洞由金蝶软件(中国)有限公司的唐忠远、谢鸿峰和陈兵发现并报告,感谢各位对 Apache APISIX 社区的贡献。
+
+
