OpenZeppelin Contracts ERC165Checker unbounded gas consumption

2022-08-1400:23:34

Google

osv.dev

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

0.001 Low

EPSS

Percentile

39.3%

JSON

Impact

The target contract of an EIP-165 supportsInterface query can cause unbounded gas consumption by returning a lot of data, while it is generally assumed that this operation has a bounded cost.

Patches

The issue has been fixed in v4.7.2.

References

https://github.com/OpenZeppelin/openzeppelin-contracts/pull/3587

For more information

If you have any questions or comments about this advisory, or need assistance deploying a fix, email us at [email protected].

CPENameOperatorVersion
@openzeppelin/contractsge2.0.0
@openzeppelin/contracts-upgradeablelt4.7.2
openzeppelin-ethle2.2.0
openzeppelin-solidityle4.6.0
@openzeppelin/contractslt4.7.2
openzeppelin-ethge2.0.0
@openzeppelin/contracts-upgradeablege3.2.0
openzeppelin-solidityge2.0.0

Name	Operator	Version
@openzeppelin/contracts	ge	2.0.0
@openzeppelin/contracts-upgradeable	lt	4.7.2
openzeppelin-eth	le	2.2.0
openzeppelin-solidity	le	4.6.0
@openzeppelin/contracts	lt	4.7.2
openzeppelin-eth	ge	2.0.0
@openzeppelin/contracts-upgradeable	ge	3.2.0
openzeppelin-solidity	ge	2.0.0