GitHub Advisory DatabaseGHSA-4MJX-2GH5-PH8HExposure of sensitive Slack webhook URLs in debug logs and traces
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
48.7%
Impact
Debug logs expose sensitive URLs for Slack webhooks that contain private information.
Patches
The problem is fixed in v1.3.2 which redacts sensitive URLs for webhooks.
Workarounds
Disabling/filtering debug logs in case you use Slack webhooks using tracing log level and filters.
References
https://github.com/abdolence/slack-morphism-rust/releases/tag/v1.3.2
For more information
If you have any questions or comments about this advisory:
- Open an issue in repo
- Read our security policy
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| slack_morphism_project | slack_morphism | * | cpe:2.3:a:slack_morphism_project:slack_morphism:*:*:*:*:*:rust:*:* |
References
github.com/abdolence/slack-morphism-rust/commit/48a1da2dc2ad3a5ccc60036d43f6f8fbb2c15f1d
github.com/abdolence/slack-morphism-rust/commit/65ef9fac4f39c4e171e2952a6cf029bb0d059a89
github.com/abdolence/slack-morphism-rust/releases/tag/v1.3.2
github.com/abdolence/slack-morphism-rust/security/advisories/GHSA-4mjx-2gh5-ph8h
github.com/advisories/GHSA-4mjx-2gh5-ph8h
nvd.nist.gov/vuln/detail/CVE-2022-39292
rustsec.org/advisories/RUSTSEC-2022-0087.html
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
48.7%