Severity: critical Description:
An attacker can obtain a plugin-configured secret via an error message response by sending an incorrect JSON Web Token to a route protected by the jwt-auth plugin. The error logic in the dependency library lua-resty-jwt enables sending an RS256 token to an endpoint that requires an HS256 token, with the original secret value included in the error response. Mitigation: 1. Upgrade to 2.13.1 and above 2. Apply the following patch to Apache APISIX and rebuild it: This will make this error message no longer contain sensitive information and return a fixed error message to the caller. For the current LTS 2.13.x or master: https://github.com/apache/apisix/pull/6846 https://github.com/apache/apisix/pull/6847 https://github.com/apache/apisix/pull/6858 For the last LTS 2.10.x: https://github.com/apache/apisix/pull/6847 https://github.com/apache/apisix/pull/6855 3. Manually modify the version you are using according to the commit above and rebuild it to circumvent the vulnerability. Credit: Discovered and reported by a team from Kingdee Software (China) Ltd. consisting of Zhongyuan Tang, Hongfeng Xie, and Bing Chen.
