Lucene search

K
cve[email protected]CVE-2022-31170
HistoryJul 22, 2022 - 4:15 a.m.

CVE-2022-31170

2022-07-2204:15:14
CWE-20
CWE-252
web.nvd.nist.gov
44
4
openzeppelin contracts
erc165checker
vulnerability
smart contract
solidity 0.8
abi decode
patch
nvd

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

0.001 Low

EPSS

Percentile

26.5%

OpenZeppelin Contracts is a library for smart contract development. Versions 4.0.0 until 4.7.1 are vulnerable to ERC165Checker reverting instead of returning false. ERC165Checker.supportsInterface is designed to always successfully return a boolean, and under no circumstance revert. However, an incorrect assumption about Solidity 0.8’s abi.decode allows some cases to revert, given a target contract that doesn’t implement EIP-165 as expected, specifically if it returns a value other than 0 or 1. The contracts that may be affected are those that use ERC165Checker to check for support for an interface and then handle the lack of support in a way other than reverting. The issue was patched in version 4.7.1.

Affected configurations

Vulners
NVD
Node
openzeppelinopenzeppelin_contractsRange4.0.04.7.1
VendorProductVersionCPE
openzeppelinopenzeppelin_contracts*cpe:2.3:a:openzeppelin:openzeppelin_contracts:*:*:*:*:*:*:*:*

CNA Affected

[
  {
    "product": "openzeppelin-contracts",
    "vendor": "OpenZeppelin",
    "versions": [
      {
        "status": "affected",
        "version": ">= 4.0.0, < 4.7.1"
      }
    ]
  }
]

Social References

More

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

0.001 Low

EPSS

Percentile

26.5%

Related for CVE-2022-31170