GitHub Advisory DatabaseGHSA-878M-3G6Q-594QOpenZeppelin Contracts contains Incorrect Calculation
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
EPSS
Percentile
29.7%
Impact
The ERC721Consecutive contract designed for minting NFTs in batches does not update balances when a batch has size 1 and consists of a single token. Subsequent transfers from the receiver of that token may overflow the balance as reported by balanceOf.
The issue exclusively presents with batches of size 1.
Patches
The issue has been patched in 4.8.2.
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| openzeppelin | contracts_upgradeable | * | cpe:2.3:a:openzeppelin:contracts_upgradeable:*:*:*:*:*:node.js:*:* |
| openzeppelin | openzeppelin_contracts | * | cpe:2.3:a:openzeppelin:openzeppelin_contracts:*:*:*:*:*:*:*:* |
References
github.com/advisories/GHSA-878m-3g6q-594q
github.com/OpenZeppelin/openzeppelin-contracts/commit/167bf67ed3907f4a674043496019fa346cee7705
github.com/OpenZeppelin/openzeppelin-contracts/releases/tag/v4.8.2
github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-878m-3g6q-594q
nvd.nist.gov/vuln/detail/CVE-2023-26488
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
EPSS
Percentile
29.7%