GSD-2022-1004951
- Source
- https://data.gsd.id/GSD-2022-1004951
- Import Source
- https://github.com/cloudsecurityalliance/gsd-database/blob/main/2022/1004xxx/GSD-2022-1004951.json
- JSON Data
- https://api.osv.dev/v1/vulns/GSD-2022-1004951
- Withdrawn
- 2023-03-14T07:01:09.294246Z
- Published
- 2022-08-05T03:45:01.608941Z
- Modified
- 2023-03-14T07:01:09.294246Z
- Summary
- hashed password of the user who created or revoked the link disclosure in Slack version between April 17, 2017 and July 17, 2022
- Details
-
In Slack between April 17, 2017 and July 17, 2022 if a shared invite link was created or revoked the hashed password of the user who created or revoked the link would have been disclosed in the invitation link, allowing an attacked viewing the invitation link to see the hashed password (also salted). Users have been advised to change their passwords. In communications with Slack support it has also been confirmed that users logging in via SSO are not affected: "Thanks for your writing in with your question. I'm happy to share there are no actions you need to take if you're signing into Slack with SSO"
- References