CVE-2022-39292 Exposure of sensitive Slack webhook URLs in debug logs and traces

2022-10-1000:00:00

CWE-1258

GitHub_M

www.cve.org

cve-2022-39292

slack morphism

debug logs

sensitive urls

webhooks

version 1.3.2

redacted

workaround

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

48.7%

JSON

Slack Morphism is a modern client library for Slack Web/Events API/Socket Mode and Block Kit. Debug logs expose sensitive URLs for Slack webhooks that contain private information. The problem is fixed in version 1.3.2 which redacts sensitive URLs for webhooks. As a workaround, people who use Slack webhooks may disable or filter debug logs.

CNA Affected

[
  {
    "vendor": "abdolence",
    "product": "slack-morphism-rust",
    "versions": [
      {
        "version": "<= 1.3.0",
        "status": "affected"
      }
    ]
  }
]