CVE-2022-35915

2022-08-0121:15:13

CWE-400

CWE-770

[email protected]

web.nvd.nist.gov

openzeppelin contracts

eip-165

gas consumption

security

upgrade

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

0.001 Low

EPSS

Percentile

39.3%

JSON

OpenZeppelin Contracts is a library for secure smart contract development. The target contract of an EIP-165 supportsInterface query can cause unbounded gas consumption by returning a lot of data, while it is generally assumed that this operation has a bounded cost. The issue has been fixed in v4.7.2. Users are advised to upgrade. There are no known workarounds for this issue.

Affected configurations

Vulners

NVD

Node

openzeppelinopenzeppelin_contractsRange2.0.0≥

VendorProductVersionCPE
openzeppelinopenzeppelin_contracts*cpe:2.3:a:openzeppelin:openzeppelin_contracts:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
openzeppelin	openzeppelin_contracts	*	cpe:2.3:a:openzeppelin:openzeppelin_contracts::::::::

CNA Affected

[
  {
    "product": "openzeppelin-contracts",
    "vendor": "OpenZeppelin",
    "versions": [
      {
        "status": "affected",
        "version": ">=2.0.0 < 4.7.2"
      }
    ]
  }
]