CVE-2022-31170

2022-07-2204:15:14

CWE-252

CWE-20

[email protected]

web.nvd.nist.gov

openzeppelin contracts

erc165checker

vulnerability

smart contract

solidity 0.8

abi decode

patch

nvd

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

0.001 Low

EPSS

Percentile

26.9%

JSON

OpenZeppelin Contracts is a library for smart contract development. Versions 4.0.0 until 4.7.1 are vulnerable to ERC165Checker reverting instead of returning false. ERC165Checker.supportsInterface is designed to always successfully return a boolean, and under no circumstance revert. However, an incorrect assumption about Solidity 0.8’s abi.decode allows some cases to revert, given a target contract that doesn’t implement EIP-165 as expected, specifically if it returns a value other than 0 or 1. The contracts that may be affected are those that use ERC165Checker to check for support for an interface and then handle the lack of support in a way other than reverting. The issue was patched in version 4.7.1.

Affected configurations

Vulners

NVD

Node

openzeppelinopenzeppelin_contractsRange4.0.0–4.7.1

VendorProductVersionCPE
openzeppelinopenzeppelin_contracts*cpe:2.3:a:openzeppelin:openzeppelin_contracts:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
openzeppelin	openzeppelin_contracts	*	cpe:2.3:a:openzeppelin:openzeppelin_contracts::::::::

CNA Affected

[
  {
    "product": "openzeppelin-contracts",
    "vendor": "OpenZeppelin",
    "versions": [
      {
        "status": "affected",
        "version": ">= 4.0.0, < 4.7.1"
      }
    ]
  }
]