Vulnerability Description
Slack Morphism is a modern client library for Slack Web/Events API/Socket Mode and Block Kit. Debug logs expose sensitive URLs for Slack webhooks that contain private information. The problem is fixed in version 1.3.2 which redacts sensitive URLs for webhooks. As a workaround, people who use Slack webhooks may disable or filter debug logs.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Slack Morphism Project | Slack Morphism | <= 1.3.0 |
Related Weaknesses (CWE)
References
- https://github.com/abdolence/slack-morphism-rust/releases/tag/v1.3.2Release NotesThird Party Advisory
- https://github.com/abdolence/slack-morphism-rust/security/advisories/GHSA-4mjx-2Third Party Advisory
- https://github.com/abdolence/slack-morphism-rust/releases/tag/v1.3.2Release NotesThird Party Advisory
- https://github.com/abdolence/slack-morphism-rust/security/advisories/GHSA-4mjx-2Third Party Advisory
FAQ
What is CVE-2022-39292?
CVE-2022-39292 is a vulnerability with a CVSS score of 7.5 (HIGH). Slack Morphism is a modern client library for Slack Web/Events API/Socket Mode and Block Kit. Debug logs expose sensitive URLs for Slack webhooks that contain private information. The problem is fixed...
How severe is CVE-2022-39292?
CVE-2022-39292 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-39292?
Check the references section above for vendor advisories and patch information. Affected products include: Slack Morphism Project Slack Morphism.