CVE-2022-31162 – Slack Morphism Rust library versions before 0.4... (How to Fix)

📋 TL;DR

Slack Morphism Rust library versions before 0.41.0 could leak Slack OAuth client secrets in debug logs. This exposes authentication credentials that could allow attackers to impersonate applications. Any Rust application using vulnerable versions of slack-morphism-rust for Slack integrations is affected.

💻 Affected Systems

Products:

slack-morphism-rust

Versions: All versions before 0.41.0

Operating Systems: Any OS running Rust applications

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists when debug logging is enabled for OAuth operations. Applications must be actively using the library's OAuth functionality.

📦 What is this software?

Slack Morphism by Slack Morphism Project

View all CVEs affecting Slack Morphism →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers obtain OAuth secrets from logs, impersonate the Slack application, access sensitive Slack workspace data, and potentially compromise connected systems.

🟠

Likely Case

Unauthorized access to Slack channels, messages, and workspace data if logs containing OAuth secrets are exposed.

🟢

If Mitigated

Minimal impact with proper log sanitization and access controls preventing exposure of debug logs.

🌐 Internet-Facing: MEDIUM - Risk depends on whether debug logs containing OAuth secrets are exposed externally through misconfigured logging systems.

🏢 Internal Only: MEDIUM - Internal attackers or compromised systems could access logs containing OAuth secrets.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW - Requires access to application logs containing OAuth secrets.

Exploitation depends on access to debug logs. No authentication bypass required once logs are accessible.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.41.0 and later

Vendor Advisory: https://github.com/abdolence/slack-morphism-rust/security/advisories/GHSA-99j7-mhfh-w84p

Restart Required: Yes

Instructions:

1. Update Cargo.toml to require slack-morphism >=0.41.0
2. Run 'cargo update slack-morphism'
3. Rebuild and redeploy your application
4. Restart all services using the library

🔧 Temporary Workarounds

Disable OAuth debug logging

all

Configure application logging to exclude OAuth requests/responses and client configurations from debug output.

Configure log filters to exclude slack_morphism::client and slack_morphism::oauth modules from debug logging

🧯 If You Can't Patch

Implement strict access controls on application logs to prevent unauthorized access
Configure log aggregation systems to filter or redact OAuth-related entries before storage

🔍 How to Verify

Check if Vulnerable:

Check Cargo.lock or Cargo.toml for slack-morphism version <0.41.0

Check Version:

grep -A2 'name = "slack-morphism"' Cargo.lock | grep version

Verify Fix Applied:

Confirm slack-morphism version >=0.41.0 in Cargo.lock and test that OAuth secrets are not printed in debug logs

📡 Detection & Monitoring

Log Indicators:

Debug logs containing 'client_secret', 'access_token', 'refresh_token', or other OAuth credentials from slack-morphism operations

Network Indicators:

Unusual Slack API requests from unexpected sources using potentially leaked credentials

SIEM Query:

source="application_logs" AND "slack-morphism" AND ("client_secret" OR "access_token" OR "refresh_token")

📊 Metadata

CVE ID: CVE-2022-31162

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-200

Published: July 22, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/abdolence/slack-morphism-rust/releases/tag/v0.41.0 Release Notes,Third Party Advisory
https://github.com/abdolence/slack-morphism-rust/security/advisories/GHSA-99j7-mhfh-w84p Third Party Advisory
https://github.com/abdolence/slack-morphism-rust/releases/tag/v0.41.0 Release Notes,Third Party Advisory
https://github.com/abdolence/slack-morphism-rust/security/advisories/GHSA-99j7-mhfh-w84p Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-31162, you might also want to check these: