Vulnerability Details CVE-2022-29266
In APache APISIX before 3.13.1, the jwt-auth plugin has a security issue that leaks the user's secret key because the error message returned from the dependency lua-resty-jwt contains sensitive information.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.134
EPSS Ranking 93.8%
CVSS Severity
CVSS v3 Score 7.5
CVSS v2 Score 5.0
References
Products affected by CVE-2022-29266
-
cpe:2.3:a:apache:apisix:-
-
cpe:2.3:a:apache:apisix:0.2
-
cpe:2.3:a:apache:apisix:0.3
-
cpe:2.3:a:apache:apisix:0.3-1
-
cpe:2.3:a:apache:apisix:0.4.1
-
cpe:2.3:a:apache:apisix:0.5
-
cpe:2.3:a:apache:apisix:0.6rc0
-
cpe:2.3:a:apache:apisix:0.7
-
cpe:2.3:a:apache:apisix:0.8
-
cpe:2.3:a:apache:apisix:0.9-
-
cpe:2.3:a:apache:apisix:0.9rc1
-
cpe:2.3:a:apache:apisix:1.0
-
cpe:2.3:a:apache:apisix:1.1
-
cpe:2.3:a:apache:apisix:1.2
-
cpe:2.3:a:apache:apisix:1.3
-
cpe:2.3:a:apache:apisix:1.4
-
cpe:2.3:a:apache:apisix:1.4.1
-
cpe:2.3:a:apache:apisix:1.5
-
cpe:2.3:a:apache:apisix:2.0
-
cpe:2.3:a:apache:apisix:2.1
-
cpe:2.3:a:apache:apisix:2.10.0
-
cpe:2.3:a:apache:apisix:2.10.1
-
cpe:2.3:a:apache:apisix:2.10.2
-
cpe:2.3:a:apache:apisix:2.10.3
-
cpe:2.3:a:apache:apisix:2.10.4
-
cpe:2.3:a:apache:apisix:2.11.0
-
cpe:2.3:a:apache:apisix:2.12.0
-
cpe:2.3:a:apache:apisix:2.12.1
-
cpe:2.3:a:apache:apisix:2.13.0
-
cpe:2.3:a:apache:apisix:2.2
-
cpe:2.3:a:apache:apisix:2.3
-
cpe:2.3:a:apache:apisix:2.4
-
cpe:2.3:a:apache:apisix:2.5
-
cpe:2.3:a:apache:apisix:2.6
-
cpe:2.3:a:apache:apisix:2.7
-
cpe:2.3:a:apache:apisix:2.8
-
cpe:2.3:a:apache:apisix:2.9