PT-2022-5024 · Slack · Slack Morphism

Abdolence

Published

2022-10-10

Updated

2022-10-11

CVE-2022-39292

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:C/I:N/A:N

Name of the Vulnerable Software and Affected Versions Slack Morphism versions prior to 1.3.2

Description The issue is related to the exposure of sensitive information in debug logs. Specifically, debug logs may contain sensitive URLs for Slack webhooks that include private information. This could allow a remote attacker to gain unauthorized access to protected information.

Recommendations For versions prior to 1.3.2, update to version 1.3.2, which redacts sensitive URLs for webhooks. As a temporary workaround, consider disabling or filtering debug logs, especially when using Slack webhooks, by adjusting the tracing log level and filters.

Exploit

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1258CWE-200

Related Identifiers

BDU:2022-06237

CVE-2022-39292

GHSA-4MJX-2GH5-PH8H

RUSTSEC-2022-0087

Affected Products

Slack Morphism

PT-2022-5024 · Slack · Slack Morphism

CVE-2022-39292

Weakness Enumeration

Related Identifiers

Affected Products

References · 14