CVE-2022-31162 Slack OAuth client information can leak in application debug logs before 0.41.0.
If you encounter issues while debugging an application, search for any application logs that contain the word “OAuth” and review the information being printed. An updated debug formatting rule was introduced in v0.41.0 to reduce the possibility of leaking client information in debug logs. If you are not upgrading your application to v0.41.0, a work-around is to remove all mentions of Slack from application logs. For further information, see this X3 Google security research post.
Check for OAuth tokens in the application’s local storage
If you encounter issues while debugging an application, search for any application logs that contain the word “OAuth” and review the information being printed. An updated debug formatting rule was introduced in v0.41.0 to reduce the possibility of leaking client information in debug logs. If you are not upgrading your application to v0.41.0, a work-around is to remove all mentions of Slack from application logs.
How to find sensitive information in Slack app logs
If you come across any sensitive information in application logs from a production server, it's important to review the logs for any unusual or suspicious activity. To reduce the possibility of leaking client information, an updated debug formatting rule was introduced in v0.41.0. You can use this change as a work-around if you are not upgrading your application to v0.41.0 and see leaks in logs due to the old debug formatting rules. For further information, see this X3 Google security research post.
Check for Slack in your application logs
If you encounter issues while debugging an application, search for any application logs that contain the word “OAuth” and review the information being printed. An updated debug formatting rule was introduced in v0.41.0 to reduce the possibility of leaking client information in debug logs. If you are not upgrading your application to v0.41.0, a work-around is to remove all mentions of Slack from application logs. For further information, see this X3 Google security research post.
Timeline
Published on: 07/22/2022 04:15:00 UTC
Last modified on: 07/29/2022 17:20:00 UTC