CVE-2023-23940

2023-02-0320:15:11

CWE-347

CWE-345

[email protected]

web.nvd.nist.gov

openzeppelin

cairo

smart contract

security

vulnerability

patch

starknet

zk rollup

nvd

0.6.1

6.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L

5.2 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

26.7%

JSON

OpenZeppelin Contracts for Cairo is a library for secure smart contract development written in Cairo for StarkNet, a decentralized ZK Rollup. is_valid_eth_signature is missing a call to finalize_keccak after calling verify_eth_signature. As a result, any contract using is_valid_eth_signature from the account library (such as the EthAccount preset) is vulnerable to a malicious sequencer. Specifically, the malicious sequencer would be able to bypass signature validation to impersonate an instance of these accounts. The issue has been patched in 0.6.1.

Affected configurations

Vulners

NVD

Node

openzeppelinopenzeppelin_contractsRange0.2.0–0.6.1

VendorProductVersionCPE
openzeppelinopenzeppelin_contracts*cpe:2.3:a:openzeppelin:openzeppelin_contracts:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
openzeppelin	openzeppelin_contracts	*	cpe:2.3:a:openzeppelin:openzeppelin_contracts::::::::

CNA Affected

[
  {
    "vendor": "OpenZeppelin",
    "product": "cairo-contracts",
    "versions": [
      {
        "version": ">= 0.2.0, < 0.6.1",
        "status": "affected"
      }
    ]
  }
]