CVE-2023-34234

2023-06-0718:15:09

CWE-862

[email protected]

web.nvd.nist.gov

openzeppelin contracts

smart contract development

cve-2023-34234

frontrunning

governor

governorcompatibilitybravo

upgrade

security patch

nvd

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

0.001 Low

EPSS

Percentile

28.7%

JSON

OpenZeppelin Contracts is a library for smart contract development. By frontrunning the creation of a proposal, an attacker can become the proposer and gain the ability to cancel it. The attacker can do this repeatedly to try to prevent a proposal from being proposed at all. This impacts the Governor contract in v4.9.0 only, and the GovernorCompatibilityBravo contract since v4.3.0. This problem has been patched in 4.9.1 by introducing opt-in frontrunning protection. Users are advised to upgrade. Users unable to upgrade may submit the proposal creation transaction to an endpoint with frontrunning protection as a workaround.

Affected configurations

Vulners

NVD

Node

openzeppelinopenzeppelin_contractsRange4.3.0–4.9.1

VendorProductVersionCPE
openzeppelinopenzeppelin_contracts*cpe:2.3:a:openzeppelin:openzeppelin_contracts:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
openzeppelin	openzeppelin_contracts	*	cpe:2.3:a:openzeppelin:openzeppelin_contracts::::::::

CNA Affected

[
  {
    "vendor": "OpenZeppelin",
    "product": "openzeppelin-contracts",
    "versions": [
      {
        "version": ">=4.3.0, < 4.9.1",
        "status": "affected"
      }
    ]
  }
]