{"schema_version": "1.6.1", "id": "CVE-2022-29266", "summary": "apisix/jwt-auth may leak secrets in error response", "details": "In Apache APISIX before 2.13.1, the jwt-auth plugin has a security issue that leaks the user's secret key because the error message returned from the dependency lua-resty-jwt contains sensitive information.", "affected": [{"ranges": [{"type": "SEMVER", "events": [{"introduced": "Apache APISIX"}, {"last_affected": "Apache APISIX"}]}]}], "references": [{"type": "ADVISORY", "url": "https://lists.apache.org/thread/6qpfyxogbvn18g9xr8g218jjfjbfsbhr"}]}