CVE-2023-26488 OpenZeppelin Contracts contains Incorrect Calculation

2023-03-0321:08:34

CWE-682

GitHub_M

www.cve.org

openzeppelin contracts

erc721consecutive

incorrect calculation

nfts

batch minting

overflow

update balance

security patch

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

29.7%

JSON

OpenZeppelin Contracts is a library for secure smart contract development. The ERC721Consecutive contract designed for minting NFTs in batches does not update balances when a batch has size 1 and consists of a single token. Subsequent transfers from the receiver of that token may overflow the balance as reported by balanceOf. The issue exclusively presents with batches of size 1. The issue has been patched in 4.8.2.

CNA Affected

[
  {
    "vendor": "OpenZeppelin",
    "product": "openzeppelin-contracts",
    "versions": [
      {
        "version": ">= 4.8.0, < 4.8.2",
        "status": "affected"
      }
    ]
  }
]