7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-31162

GHSA ID

GHSA-99j7-mhfh-w84p

EPSS Score

0.32504%

CWE

CWE-200

Published

7/20/2022

Updated

7/24/2023

KEV Status

Technology

Rust

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-31162

CVE-2022-31162:
Slack Morphism for Rust before 0.41.0 can leak Slack OAuth client information in application debug logs

Impact

Potential/accidental leaking of Slack OAuth client information in application debug logs.

Patches

More strict and secure debug formatting was introduced in v0.41 for OAuth secret types to avoid the possibility of printing sensitive information in application logs.

Workarounds

Don't print/output in logs request and responses for OAuth and client configurations.

For more information

If you have any questions or comments about this advisory:

Open an issue in the repo
Email us at me@abdolence.dev

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-31162

GHSA ID

GHSA-99j7-mhfh-w84p

EPSS Score

0.32504%

CWE

CWE-200

Published

7/20/2022

Updated

7/24/2023

KEV Status

Technology

Rust

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
slack-morphism	rust	< 0.41.0	0.41.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from sensitive types implementing Debug traits that leaked secret values. The commit 4923fb7 shows:

SlackClientSecret and SlackSigningSecret received custom Debug implementations that mask values
SlackOAuthCode was introduced with a secure Debug implementation
Multiple locations changed from String to newtype wrappers with secure formatting This indicates the original Debug implementations for these types (present in <0.41.0 versions) would print sensitive values when debug-logged, matching CWE-1258 (uncleared debug info) and CWE-200 (sensitive info exposure).

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t Pot*nti*l/***i**nt*l l**kin* o* Sl**k O*ut* *li*nt in*orm*tion in *ppli**tion ***u* lo*s. ### P*t***s Mor* stri*t *n* s**ur* ***u* *orm*ttin* w*s intro*u*** in v*.** *or O*ut* s**r*t typ*s to *voi* t** possi*ility o* printin* s*nsitiv* in

Reasoning

T** vuln*r**ility st*ms *rom s*nsitiv* typ*s impl*m*ntin* ***u* tr*its t**t l**k** s**r*t v*lu*s. T** *ommit ******* s*ows: *. Sl**k*li*ntS**r*t *n* Sl**kSi*nin*S**r*t r***iv** *ustom ***u* impl*m*nt*tions t**t m*sk v*lu*s *. Sl**kO*ut**o** w*s intro

7.5

Basic Information

Concerned about an active attack path?

CVE-2022-31162: Slack Morphism for Rust before 0.41.0 can leak Slack OAuth client information in application debug logs

Impact

Patches

Workarounds

For more information

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2022-31162:
Slack Morphism for Rust before 0.41.0 can leak Slack OAuth client information in application debug logs

Vulnerability Intelligence
Miggo AI