CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS
Percentile
26.7%
OpenZeppelin Contracts is a library for smart contract development. Versions 4.1.0 until 4.7.1 are vulnerable to the SignatureChecker reverting. SignatureChecker.isValidSignatureNow
is not expected to revert. However, an incorrect assumption about Solidity 0.8’s abi.decode
allows some cases to revert, given a target contract that doesn’t implement EIP-1271 as expected. The contracts that may be affected are those that use SignatureChecker
to check the validity of a signature and handle invalid signatures in a way other than reverting. The issue was patched in version 4.7.1.
Vendor | Product | Version | CPE |
---|---|---|---|
openzeppelin | contracts | * | cpe:2.3:a:openzeppelin:contracts:*:*:*:*:*:node.js:*:* |