cnvd - cnvd-2023-64031

CNVD-2023-64031

Vulnerability from cnvd - Published: 2023-08-18

Title

Slack Morphism信息泄露漏洞

Description

Slack Morphism是Rust的现代异步客户端库，支持Slack Web/Events API/Socket Mode和Block Kit。 Slack Morphism 0.41.0之前版本存在信息泄露漏洞，该漏洞源于在应用程序调试日志中可能泄漏Slack OAuth客户端信息。攻击者可利用漏洞获取敏感信息。

Severity

高

Patch Name

Slack Morphism信息泄露漏洞的补丁

Patch Description

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://github.com/abdolence/slack-morphism-rust/security/advisories/GHSA-99j7-mhfh-w84p

Reference

https://nvd.nist.gov/vuln/detail/CVE-2022-31162

Impacted products

Name
Slack Morphism Slack Morphism <0.41.0

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2022-31162",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2022-31162"
    }
  },
  "description": "Slack Morphism\u662fRust\u7684\u73b0\u4ee3\u5f02\u6b65\u5ba2\u6237\u7aef\u5e93\uff0c\u652f\u6301Slack Web/Events API/Socket Mode\u548cBlock Kit\u3002\n\nSlack Morphism 0.41.0\u4e4b\u524d\u7248\u672c\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5728\u5e94\u7528\u7a0b\u5e8f\u8c03\u8bd5\u65e5\u5fd7\u4e2d\u53ef\u80fd\u6cc4\u6f0fSlack OAuth\u5ba2\u6237\u7aef\u4fe1\u606f\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u6f0f\u6d1e\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://github.com/abdolence/slack-morphism-rust/security/advisories/GHSA-99j7-mhfh-w84p",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2023-64031",
  "openTime": "2023-08-18",
  "patchDescription": "Slack Morphism\u662fRust\u7684\u73b0\u4ee3\u5f02\u6b65\u5ba2\u6237\u7aef\u5e93\uff0c\u652f\u6301Slack Web/Events API/Socket Mode\u548cBlock Kit\u3002\r\n\r\nSlack Morphism 0.41.0\u4e4b\u524d\u7248\u672c\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5728\u5e94\u7528\u7a0b\u5e8f\u8c03\u8bd5\u65e5\u5fd7\u4e2d\u53ef\u80fd\u6cc4\u6f0fSlack OAuth\u5ba2\u6237\u7aef\u4fe1\u606f\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u6f0f\u6d1e\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Slack Morphism\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Slack Morphism Slack Morphism \u003c0.41.0"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2022-31162",
  "serverity": "\u9ad8",
  "submitTime": "2022-07-26",
  "title": "Slack Morphism\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e"
}

CVE-2022-31162 (GCVE-0-2022-31162)

Vulnerability from cvelistv5 – Published: 2022-07-21 13:20 – Updated: 2025-04-23 17:57

Summary

Slack Morphism is an async client library for Rust. Prior to 0.41.0, it was possible for Slack OAuth client information to leak in application debug logs. Stricter and more secure debug formatting was introduced in v0.41.0 for OAuth secret types to reduce the possibility of printing sensitive information in application logs. As a workaround, do not print/output requests and responses for OAuth and client configurations in logs.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-1258 - Exposure of Sensitive System Information Due to Uncleared Debug Information
CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor

Assigner

GitHub_M

References

URL

Tags

	https://github.com/abdolence/slack-morphism-rust/…	x_refsource_CONFIRM
	https://github.com/abdolence/slack-morphism-rust/…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	abdolence	slack-morphism-rust	Affected: < 0.41.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T07:11:39.603Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/abdolence/slack-morphism-rust/security/advisories/GHSA-99j7-mhfh-w84p"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/abdolence/slack-morphism-rust/releases/tag/v0.41.0"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-31162",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-23T15:53:20.715996Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-23T17:57:53.113Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "slack-morphism-rust",
          "vendor": "abdolence",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.41.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Slack Morphism is an async client library for Rust. Prior to 0.41.0, it was possible for Slack OAuth client information to leak in application debug logs. Stricter and more secure debug formatting was introduced in v0.41.0 for OAuth secret types to reduce the possibility of printing sensitive information in application logs. As a workaround, do not print/output requests and responses for OAuth and client configurations in logs."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1258",
              "description": "CWE-1258: Exposure of Sensitive System Information Due to Uncleared Debug Information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-07-21T13:20:12.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/abdolence/slack-morphism-rust/security/advisories/GHSA-99j7-mhfh-w84p"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/abdolence/slack-morphism-rust/releases/tag/v0.41.0"
        }
      ],
      "source": {
        "advisory": "GHSA-99j7-mhfh-w84p",
        "discovery": "UNKNOWN"
      },
      "title": "Slack Morphism for Rust before 0.41.0 can accidentally leak Slack OAuth client information in application debug logs",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-31162",
          "STATE": "PUBLIC",
          "TITLE": "Slack Morphism for Rust before 0.41.0 can accidentally leak Slack OAuth client information in application debug logs"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "slack-morphism-rust",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 0.41.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "abdolence"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Slack Morphism is an async client library for Rust. Prior to 0.41.0, it was possible for Slack OAuth client information to leak in application debug logs. Stricter and more secure debug formatting was introduced in v0.41.0 for OAuth secret types to reduce the possibility of printing sensitive information in application logs. As a workaround, do not print/output requests and responses for OAuth and client configurations in logs."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-1258: Exposure of Sensitive System Information Due to Uncleared Debug Information"
                }
              ]
            },
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/abdolence/slack-morphism-rust/security/advisories/GHSA-99j7-mhfh-w84p",
              "refsource": "CONFIRM",
              "url": "https://github.com/abdolence/slack-morphism-rust/security/advisories/GHSA-99j7-mhfh-w84p"
            },
            {
              "name": "https://github.com/abdolence/slack-morphism-rust/releases/tag/v0.41.0",
              "refsource": "MISC",
              "url": "https://github.com/abdolence/slack-morphism-rust/releases/tag/v0.41.0"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-99j7-mhfh-w84p",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-31162",
    "datePublished": "2022-07-21T13:20:12.000Z",
    "dateReserved": "2022-05-18T00:00:00.000Z",
    "dateUpdated": "2025-04-23T17:57:53.113Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2023-64031

CVE-2022-31162 (GCVE-0-2022-31162)

Tags

Sightings

Nomenclature