GHSA-c2g2-gx4j-rj3j
First published: Sun Jun 02 2024(Updated: )
### Impact Sentry's Slack integration incorrectly records the incoming request body in logs. This request data can contain sensitive information, including the [deprecated Slack verification token](https://api.slack.com/authentication/verifying-requests-from-slack#deprecation). With this verification token, it is possible under specific configurations, an attacker can forge requests and act as the Slack integration. The request body is leaked in log entries matching `event == "slack.*" && name == "sentry.integrations.slack" && request_data == *`. The deprecated slack verification token, will be found in the `request_data.token` key. Example event: ```json { "name": "sentry.integrations.slack", "level": "info", "event": "slack.event.message", # This could be any of the `slack.*` events "request_data": { # Other keys are omitted for brevity "token": "<MyDeprecatedSlackVerificationToken>", } } ``` ### Patches - **SaaS users** do not need to take any action. - **Self-hosted users** should upgrade to version 24.5.0 or higher, [rotate their Slack verification token](https://api.slack.com/authentication/verifying-requests-from-slack#regenerating), and [use the Slack Signing Secret instead of the verification token](https://develop.sentry.dev/integrations/slack/). - If you are only using the `slack.signing-secret` in your self-hosted configuration, then the legacy verification token is not used to verify the webhook payload. It is ignored. > ⚠️ Sentry's support for validating Slack requests via the legacy verification token will be deprecated in version 24.7.0. ### Workarounds #### Option 1 Set the `slack.signing-secret` instead of `slack.verification-token`. The [signing secret](https://api.slack.com/authentication/verifying-requests-from-slack#app-management-updates) is Slack's recommended way of authenticating webhooks. By having `slack.singing-secret` set, Sentry self-hosted will no longer use the verification token for authentication of the webhooks, regardless of whether `slack.verification-token` is set or not. #### Option 2 The deprecated Slack verification token is leaked in log levels of `INFO` and `ERROR` in the Slack integration. If the self-hosted instance is unable to be upgraded or re-configured to use the `slack.signing-secret`, the logging configuration can be adjusted to not generate logs from the integration. The [default logging configuration can be found in `src/sentry/conf/server.py`](https://github.com/getsentry/sentry/blob/17d2b87e39ccd57e11da4deed62971ff306253d1/src/sentry/conf/server.py#L1307). **Services should be restarted once the configuration change is saved.** Below you'll find an example of the configuration adjustments necessary to remove the Slack integration logs: ```python # src/sentry/conf/server.py ... LOGGING: LoggingConfig = { ... handlers: { # the line below already exists in the default configuration "null": {"class": "logging.NullHandler"}, ... }, "loggers": { "sentry.integrations.slack": { "handlers": ["null"], # route logs to null handler "level": "CRITICAL", # prevent generation of logs a lower levels (ex. ERROR and INFO) }, ... }, } ``` ### References - https://github.com/getsentry/sentry/pull/70508 - [Sentry Slack Integration Documentation for Self-Hosted users](https://develop.sentry.dev/integrations/slack/) - [Documentation on Slack Signing Secrets](https://api.slack.com/authentication/verifying-requests-from-slack#app-management-updates) - [Slack Deprecation for Verification Tokens](https://api.slack.com/authentication/verifying-requests-from-slack#deprecation)
| Affected Software | Affected Version | How to fix |
|---|---|---|
| pip/sentry | >=24.3.0<24.5.0 | 24.5.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/getsentry/sentry/security/advisories/GHSA-c2g2-gx4j-rj3j
- https://nvd.nist.gov/vuln/detail/CVE-2024-35196
- https://github.com/getsentry/sentry/pull/70508
- https://api.slack.com/authentication/verifying-requests-from-slack#app-management-updates
- https://api.slack.com/authentication/verifying-requests-from-slack#deprecation
- https://api.slack.com/authentication/verifying-requests-from-slack#regenerating
- https://develop.sentry.dev/integrations/slack
- https://github.com/getsentry/sentry/blob/17d2b87e39ccd57e11da4deed62971ff306253d1/src/sentry/conf/server.py#L1307
- https://github.com/advisories/GHSA-c2g2-gx4j-rj3j (Advisory)
Frequently Asked Questions
What is the severity of GHSA-c2g2-gx4j-rj3j?
The severity of GHSA-c2g2-gx4j-rj3j is moderate due to the potential exposure of sensitive information.
How do I fix GHSA-c2g2-gx4j-rj3j?
To fix GHSA-c2g2-gx4j-rj3j, update your Sentry installation to version 24.5.0 or later.
What versions are affected by GHSA-c2g2-gx4j-rj3j?
GHSA-c2g2-gx4j-rj3j affects Sentry versions from 24.3.0 up to but not including 24.5.0.
What type of information is exposed in GHSA-c2g2-gx4j-rj3j?
GHSA-c2g2-gx4j-rj3j may expose sensitive information, including the deprecated Slack verification token.
Is there a workaround for GHSA-c2g2-gx4j-rj3j if I cannot update immediately?
There is no documented workaround for GHSA-c2g2-gx4j-rj3j, so updating to the latest version is recommended to mitigate the risk.
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-c2g2-gx4j-rj3j
- alias/CVE-2024-35196
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/severity
- agent/weakness
- agent/references
- agent/softwarecombine
- agent/type
- agent/description
- agent/first-publish-date
- agent/event
- collector/github-advisory
- agent/trending
- agent/tags
- agent/source
- package-manager/pip