CVE-2023-26488

2023-03-0322:15:09

CWE-682

[email protected]

web.nvd.nist.gov

openzeppelin contracts

erc721consecutive

batch minting

nfts

security issue

patch

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

29.7%

JSON

OpenZeppelin Contracts is a library for secure smart contract development. The ERC721Consecutive contract designed for minting NFTs in batches does not update balances when a batch has size 1 and consists of a single token. Subsequent transfers from the receiver of that token may overflow the balance as reported by balanceOf. The issue exclusively presents with batches of size 1. The issue has been patched in 4.8.2.

Affected configurations

Nvd

Node

openzeppelincontractsRange4.8.0–4.8.2node.js

openzeppelincontracts_upgradeableRange4.8.0–4.8.2node.js

VendorProductVersionCPE
openzeppelincontracts*cpe:2.3:a:openzeppelin:contracts:*:*:*:*:*:node.js:*:*
openzeppelincontracts_upgradeable*cpe:2.3:a:openzeppelin:contracts_upgradeable:*:*:*:*:*:node.js:*:*

Vendor	Product	Version	CPE
openzeppelin	contracts	*	cpe:2.3:a:openzeppelin:contracts::::::node.js::*
openzeppelin	contracts_upgradeable	*	cpe:2.3:a:openzeppelin:contracts_upgradeable::::::node.js::*