CVE-2022-39292

2022-10-1015:15:09

CWE-1258

GitHub_M

web.nvd.nist.gov

217

slack morphism

slack client library

slack api

socket mode

block kit

cve-2022-39292

security vulnerability

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

48.7%

JSON

Slack Morphism is a modern client library for Slack Web/Events API/Socket Mode and Block Kit. Debug logs expose sensitive URLs for Slack webhooks that contain private information. The problem is fixed in version 1.3.2 which redacts sensitive URLs for webhooks. As a workaround, people who use Slack webhooks may disable or filter debug logs.

Affected configurations

Nvd

Vulners

Node

slack_morphism_projectslack_morphismRange≤1.3.0rust

VendorProductVersionCPE
slack_morphism_projectslack_morphism*cpe:2.3:a:slack_morphism_project:slack_morphism:*:*:*:*:*:rust:*:*

Vendor	Product	Version	CPE
slack_morphism_project	slack_morphism	*	cpe:2.3:a:slack_morphism_project:slack_morphism::::::rust::*

CNA Affected

[
  {
    "vendor": "abdolence",
    "product": "slack-morphism-rust",
    "versions": [
      {
        "version": "<= 1.3.0",
        "status": "affected"
      }
    ]
  }
]