CVE-2022-31162 Slack OAuth client information can leak in application debug logs before 0.41.0.

CVE-2022-31162 Slack OAuth client information can leak in application debug logs before 0.41.0.

If you encounter issues while debugging an application, search for any application logs that contain the word “OAuth” and review the information being printed. An updated debug formatting rule was introduced in v0.41.0 to reduce the possibility of leaking client information in debug logs. If you are not upgrading your application to v0.41.0, a work-around is to remove all mentions of Slack from application logs. For further information, see this X3 Google security research post.

Check for OAuth tokens in the application’s local storage

If you encounter issues while debugging an application, search for any application logs that contain the word “OAuth” and review the information being printed. An updated debug formatting rule was introduced in v0.41.0 to reduce the possibility of leaking client information in debug logs. If you are not upgrading your application to v0.41.0, a work-around is to remove all mentions of Slack from application logs.

How to find sensitive information in Slack app logs

If you come across any sensitive information in application logs from a production server, it's important to review the logs for any unusual or suspicious activity. To reduce the possibility of leaking client information, an updated debug formatting rule was introduced in v0.41.0. You can use this change as a work-around if you are not upgrading your application to v0.41.0 and see leaks in logs due to the old debug formatting rules. For further information, see this X3 Google security research post.

Check for Slack in your application logs

If you encounter issues while debugging an application, search for any application logs that contain the word “OAuth” and review the information being printed. An updated debug formatting rule was introduced in v0.41.0 to reduce the possibility of leaking client information in debug logs. If you are not upgrading your application to v0.41.0, a work-around is to remove all mentions of Slack from application logs. For further information, see this X3 Google security research post.

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe