CVE-2022-39292

Slack Morphism is a modern client library for Slack Web/Events API/Socket Mode and Block Kit. Debug logs expose sensitive URLs for Slack webhooks that contain private information. The problem is fixed in version 1.3.2 which redacts sensitive URLs for webhooks. As a workaround, people who use Slack webhooks may disable or filter debug logs.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/abdolence/slack-morphism-rust/releases/tag/v1.3.2	Release Notes Third Party Advisory
https://github.com/abdolence/slack-morphism-rust/security/advisories/GHSA-4mjx-2gh5-ph8h	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:slack_morphism_project:slack_morphism:*:*:*:*:*:rust:*:*

History

11 Oct 2022, 18:13

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-10-10 15:15

Updated : 2024-02-04 22:51

NVD link : CVE-2022-39292

Mitre link : CVE-2022-39292

CVE.ORG link : CVE-2022-39292

JSON object : View

Products Affected

slack_morphism_project

slack_morphism

CWE

CWE-1258

Exposure of Sensitive System Information Due to Uncleared Debug Information

{"id": "CVE-2022-39292", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2022-10-10T15:15:09.783", "references": [{"url": "https://github.com/abdolence/slack-morphism-rust/releases/tag/v1.3.2", "tags": ["Release Notes", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/abdolence/slack-morphism-rust/security/advisories/GHSA-4mjx-2gh5-ph8h", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-1258"}]}], "descriptions": [{"lang": "en", "value": "Slack Morphism is a modern client library for Slack Web/Events API/Socket Mode and Block Kit. Debug logs expose sensitive URLs for Slack webhooks that contain private information. The problem is fixed in version 1.3.2 which redacts sensitive URLs for webhooks. As a workaround, people who use Slack webhooks may disable or filter debug logs."}, {"lang": "es", "value": "Slack Morphism es una moderna librer\u00eda cliente para Slack Web/Events API/Socket Mode y Block Kit. Los registros de depuraci\u00f3n exponen URLs confidenciales para los webhooks de Slack que contienen informaci\u00f3n privada. El problema ha sido corregido en versi\u00f3n 1.3.2 que redacta las URLs confidenciales para los webhooks. Como mitigaci\u00f3n, las personas que usan los webhooks de Slack pueden deshabilitar o filtrar los registros de depuraci\u00f3n"}], "lastModified": "2022-10-11T18:13:45.633", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:slack_morphism_project:slack_morphism:*:*:*:*:*:rust:*:*", "vulnerable": true, "matchCriteriaId": "B0DBEA59-ED0B-4AA4-8068-FFB74E590886", "versionEndIncluding": "1.3.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}