CVE-2022-39292
Exposure of sensitive Slack webhook URLs in debug logs and traces
In short
Slack Morphism library was logging sensitive webhook URLs in debug output, which could expose private Slack authentication tokens if someone accessed those logs. This is dangerous because anyone with access to the logs could use these URLs to send unauthorized messages to Slack channels.
Technical detail
CWE-1258 vulnerability in Slack Morphism versions before 1.3.2 where debug logging functionality inadvertently exposes webhook URLs containing authentication credentials. Attack vector requires local or remote access to debug logs; impact includes unauthorized webhook invocations and potential lateral movement within Slack workspaces. Fixed by implementing URL redaction in debug output.
Summary generated and translated by AI from the official description.
Slack Morphism is a modern client library for Slack Web/Events API/Socket Mode and Block Kit. Debug logs expose sensitive URLs for Slack webhooks that contain private information. The problem is fixed in version 1.3.2 which redacts sensitive URLs for webhooks. As a workaround, people who use Slack webhooks may disable or filter debug logs.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected products
abdolence · slack-morphism-rustWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →