Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS00bWp4LTJnaDUtcGg4aM4AAvOD

Exposure of sensitive Slack webhook URLs in debug logs and traces

Impact

Debug logs expose sensitive URLs for Slack webhooks that contain private information.

Patches

The problem is fixed in v1.3.2 which redacts sensitive URLs for webhooks.

Workarounds

Disabling/filtering debug logs in case you use Slack webhooks using tracing log level and filters.

References

https://github.com/abdolence/slack-morphism-rust/releases/tag/v1.3.2

For more information

If you have any questions or comments about this advisory:

• Open an issue in repo
• Read our security policy

Permalink: https://github.com/advisories/GHSA-4mjx-2gh5-ph8h
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00bWp4LTJnaDUtcGg4aM4AAvOD
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: about 1 year ago

CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Identifiers: GHSA-4mjx-2gh5-ph8h, CVE-2022-39292
References:

• https://github.com/abdolence/slack-morphism-rust/security/advisories/GHSA-4mjx-2gh5-ph8h
• https://nvd.nist.gov/vuln/detail/CVE-2022-39292
• https://github.com/abdolence/slack-morphism-rust/commit/48a1da2dc2ad3a5ccc60036d43f6f8fbb2c15f1d
• https://github.com/abdolence/slack-morphism-rust/releases/tag/v1.3.2
• https://github.com/abdolence/slack-morphism-rust/commit/65ef9fac4f39c4e171e2952a6cf029bb0d059a89
• https://rustsec.org/advisories/RUSTSEC-2022-0087.html
• https://github.com/advisories/GHSA-4mjx-2gh5-ph8h

Repository: https://github.com/abdolence/slack-morphism-rust
Blast Radius: 6.8

Affected Packages