CVE-2024-35196: Slack integration leaks sensitive information in logs
Sentry’s Slack integration incorrectly records the incoming request body in logs. This request data can contain sensitive information, including the deprecated Slack verification token. With this verification token, it is possible under specific configurations, an attacker can forge requests and act as the Slack integration.
The request body is leaked in log entries matching event == "slack.*" && name == "sentry.integrations.slack" && request_data == *. The deprecated slack verification token, will be found in the request_data.token key.
Example event:
{
"name": "sentry.integrations.slack",
"level": "info",
"event": "slack.event.message", # This could be any of the `slack.*` events
"request_data": {
References
- api.slack.com/authentication/verifying-requests-from-slack
- api.slack.com/authentication/verifying-requests-from-slack
- api.slack.com/authentication/verifying-requests-from-slack
- develop.sentry.dev/integrations/slack
- github.com/advisories/GHSA-c2g2-gx4j-rj3j
- github.com/getsentry/sentry
- github.com/getsentry/sentry/blob/17d2b87e39ccd57e11da4deed62971ff306253d1/src/sentry/conf/server.py
- github.com/getsentry/sentry/pull/70508
- github.com/getsentry/sentry/security/advisories/GHSA-c2g2-gx4j-rj3j
- nvd.nist.gov/vuln/detail/CVE-2024-35196
Detect and mitigate CVE-2024-35196 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →