Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS00bWp4LTJnaDUtcGg4aM4AAvOD
Exposure of sensitive Slack webhook URLs in debug logs and traces
Impact
Debug logs expose sensitive URLs for Slack webhooks that contain private information.
Patches
The problem is fixed in v1.3.2 which redacts sensitive URLs for webhooks.
Workarounds
Disabling/filtering debug logs in case you use Slack webhooks using tracing log level and filters.
References
https://github.com/abdolence/slack-morphism-rust/releases/tag/v1.3.2
For more information
If you have any questions or comments about this advisory:
- Open an issue in repo
- Read our security policy
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00bWp4LTJnaDUtcGg4aM4AAvOD
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: about 1 year ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-4mjx-2gh5-ph8h, CVE-2022-39292
References:
- https://github.com/abdolence/slack-morphism-rust/security/advisories/GHSA-4mjx-2gh5-ph8h
- https://nvd.nist.gov/vuln/detail/CVE-2022-39292
- https://github.com/abdolence/slack-morphism-rust/commit/48a1da2dc2ad3a5ccc60036d43f6f8fbb2c15f1d
- https://github.com/abdolence/slack-morphism-rust/releases/tag/v1.3.2
- https://github.com/abdolence/slack-morphism-rust/commit/65ef9fac4f39c4e171e2952a6cf029bb0d059a89
- https://rustsec.org/advisories/RUSTSEC-2022-0087.html
- https://github.com/advisories/GHSA-4mjx-2gh5-ph8h
Blast Radius: 6.8
Affected Packages
cargo:slack-morphism
Dependent packages: 3Dependent repositories: 8
Downloads: 186,965 total
Affected Version Ranges: < 1.3.2
Fixed in: 1.3.2
All affected versions: 0.1.0, 0.1.1, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.2.6, 0.2.7, 0.2.8, 0.3.0, 0.3.1, 0.4.0, 0.5.0, 0.5.1, 0.5.3, 0.5.5, 0.6.0, 0.6.1, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.8.5, 0.9.0, 0.10.0, 0.11.0, 0.12.0, 0.14.0, 0.15.0, 0.16.0, 0.17.0, 0.18.0, 0.19.0, 0.20.0, 0.21.0, 0.22.0, 0.23.0, 0.24.0, 0.25.0, 0.26.0, 0.27.0, 0.28.0, 0.29.0, 0.30.0, 0.31.0, 0.32.0, 0.33.0, 0.34.0, 0.35.0, 0.36.0, 0.37.0, 0.38.0, 0.39.0, 0.40.0, 0.41.0, 1.0.0, 1.1.0, 1.2.0, 1.2.1, 1.2.2, 1.3.0, 1.3.1
All unaffected versions: 1.3.2, 1.3.3, 1.3.4, 1.4.0, 1.4.1, 1.4.2, 1.5.0, 1.6.0, 1.6.1, 1.7.0, 1.8.0, 1.9.0, 1.10.0, 1.11.0, 1.12.0, 1.14.0, 1.14.1, 1.14.2, 1.14.3, 1.14.5, 1.15.0, 1.15.1, 1.16.0, 1.16.1, 1.17.0, 2.0.0, 2.1.0