OpenZeppelin Contracts ERC165Checker unbounded gas consumption

2022-08-1400:23:34

CWE-400

CWE-770

GitHub Advisory Database

github.com

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

0.001 Low

EPSS

Percentile

39.3%

JSON

Impact

The target contract of an EIP-165 supportsInterface query can cause unbounded gas consumption by returning a lot of data, while it is generally assumed that this operation has a bounded cost.

Patches

The issue has been fixed in v4.7.2.

References

https://github.com/OpenZeppelin/openzeppelin-contracts/pull/3587

For more information

If you have any questions or comments about this advisory, or need assistance deploying a fix, email us at [email protected].

Affected configurations

Vulners

Node

openzeppelinopenzeppelin-ethRange≤2.2.0node.js

openzeppelincontracts_upgradeableRange3.2.0≥

openzeppelincontracts_upgradeableRange<4.7.2

openzeppelinopenzeppelin-solidityRange≤4.6.0node.js

openzeppelinopenzeppelin_contractsRange<4.7.2

CPENameOperatorVersion
openzeppelin-ethle2.2.0
@openzeppelin/contracts-upgradeablege3.2.0
@openzeppelin/contracts-upgradeablelt4.7.2
openzeppelin-solidityle4.6.0
@openzeppelin/contractslt4.7.2

Name	Operator	Version
openzeppelin-eth	le	2.2.0
@openzeppelin/contracts-upgradeable	ge	3.2.0
@openzeppelin/contracts-upgradeable	lt	4.7.2
openzeppelin-solidity	le	4.6.0
@openzeppelin/contracts	lt	4.7.2