Asottile

**Name of the Vulnerable Software and Affected Versions** Sentry versions prior to 24.5.0 **Description** Sentry's Slack integration incorrectly records the incoming request body in logs, which can contain sensitive information, including the deprecated Slack verification token. This token can be used by an attacker to forge requests and act as the Slack integration under specific configurations. The request body is leaked in log entries matching `event == "slack.*" && name == "sentry.integrations.slack" && request data == *`, with the deprecated slack verification token found in the `request data.token` key. **Recommendations** For self-hosted users, upgrade to version 24.5.0 or higher, rotate the Slack verification token, and use the Slack Signing Secret instead of the verification token. As a temporary workaround, set the `slack.signing-secret` instead of `slack.verification-token` to prevent the use of the verification token for authentication. Alternatively, adjust the logging configuration to not generate logs from the integration by routing logs to a null handler and preventing generation of logs at lower levels. Services should be restarted once the configuration change is saved.