CVE-2022-29266: Apache APISIX: apisix/jwt-auth may leak secrets in error response

[Zeping Bai <bzp2010 () apache org>]

Severity: critical

Description:

An attacker can obtain a plugin-configured secret via an error message response by sending an incorrect JSON Web Token 
to a route protected by the jwt-auth plugin.
The error logic in the dependency library lua-resty-jwt enables sending an RS256 token to an endpoint that requires an 
HS256 token, with the original secret value included in the error response.

Mitigation:

1. Upgrade to 2.13.1 and above

2. Apply the following patch to Apache APISIX and rebuild it:
This will make this error message no longer contain sensitive information and return a fixed error message to the 
caller.
For the current LTS 2.13.x or master:
https://github.com/apache/apisix/pull/6846
https://github.com/apache/apisix/pull/6847
https://github.com/apache/apisix/pull/6858
For the last LTS 2.10.x:
https://github.com/apache/apisix/pull/6847
https://github.com/apache/apisix/pull/6855

3. Manually modify the version you are using according to the commit above and rebuild it to circumvent the 
vulnerability.

Credit:

Discovered and reported by a team from Kingdee Software (China) Ltd. consisting of Zhongyuan Tang, Hongfeng Xie, and 
Bing Chen.