Reported

July 22, 2022

Issued

February 2, 2023

Package

slack-morphism (crates.io)

Type

Vulnerability

Aliases

• CVE-2022-31162
• GHSA-99j7-mhfh-w84p

References

• https://github.com/abdolence/slack-morphism-rust/pull/133

CVSS Score

7.5 HIGH

CVSS Details

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Patched

• >=0.41.0

Description

Debug log formatting made it possible to leak OAuth secrets into debug logs.

The patched version has introduced more strict checks to avoid this.

Advisory available under CC0-1.0 license.