CVE-2021-41264

OpenZeppelin CVE-2021-41264 affects upgradeable contracts using UUPSUpgradeable due to uninitialized implementation contracts. The vulnerability is addressed in version 4.3.2 of @openzeppelin/contracts and @openzeppelin/contracts-upgradeable. If upgrading is not possible, a mitigation is to initi...

CVE-2021-41264 UUPSUpgradeable vulnerability in OpenZeppelin Contracts

OpenZeppelin Contracts is a library for smart contract development. In affected versions upgradeable contracts using UUPSUpgradeable may be vulnerable to an attack affecting uninitialized implementation contracts. A fix is included in version 4.3.2 of @openzeppelin/contracts and...

OpenZeppelin 安全漏洞

OpenZeppelin is a software application. A standard for secure blockchain applications. A security vulnerability exists in versions of OpenZeppelin Contracts prior to 4.3.2, which can be exploited by an attacker to conduct an uninitialized contract attack...

GHSA-5VP3-V4HC-GX76 UUPSUpgradeable vulnerability in @openzeppelin/contracts

Impact Upgradeable contracts using UUPSUpgradeable may be vulnerable to an attack affecting uninitialized implementation contracts. We will update this advisory with more information soon. Patches A fix is included in version 4.3.2 of @openzeppelin/contracts and @openzeppelin/contracts-upgradeabl...

@biconomy/hyphen-contracts (=1.0.4), @devprotocol/protocol-l2 (>=0.0.1 <=0.0.2) +8 more potentially affected by unknown CVE via @openzeppelin/contracts-upgradeable (>=4.2.0 <=4.3.1)

@openzeppelin/contracts-upgradeable NPM version =4.2.0, =0.0.1, =1.1.2, =1.0.1, =1.1.2, =1.0.0, =0.8.1-pr-brioux-1333.92b26c3a.36, =1.0.5, =2.3.0, =2.3.2 Source cves: unknown CVE Source advisory: OSV:GHSA-Q4H9-46XG-M3X9...

0x-hunter-core (>=1.0.0-33 <=1.0.0-38), @0xabcdefg/router-sdk (=1.0.0) +2185 more potentially affected by CVE-2021-39167 via @openzeppelin/contracts (>=3.3.0 <=3.4.2-solc-0.7)

@openzeppelin/contracts NPM version =3.3.0, =1.0.0-33, =1.0.0, =1.0.0, =1.9.1, =3.24.7, =1.7.2, =3.10.3, =0.0.2, =1.4.1, =1.0.0, =0.2.0, =1.0.0 - @0xlol/sdk =0.0.267 and more Source cves: CVE-2021-39167 Source advisory: OSV:GHSA-FG47-3C2X-M2WR...

@avalabs/avalanche-wallet-sdk (>=0.3.0 <=0.9.4), @b0dhidharma/contract-utils (=0.1.1) +48 more potentially affected by CVE-2021-39167 via @openzeppelin/contracts (>=4.0.0 <=4.3.0)

@openzeppelin/contracts NPM version =4.0.0, =0.3.0, =0.0.2, =1.0.0, =1.1.0, =2.0.0, =0.1.1, =0.0.1, =3.0.0-alpha.2, =3.0.0-alpha.1, =3.0.0-alpha.1, =3.0.0-alpha.1, =0.0.0-863d96e4, =0.0.23-canary and more Source cves: CVE-2021-39167 Source advisory: OSV:GHSA-FG47-3C2X-M2WR...

TimelockController vulnerability in OpenZeppelin Contracts

Impact A vulnerability in TimelockController allowed an actor with the executor role to take immediate control of the timelock, by resetting the delay to 0 and escalating privileges, thus gaining unrestricted access to assets held in the contract. Instances with the executor role set to "open"...

Privilege Escalation

@openzeppelin/contracts is vulnerable to privilege escalation. The vulnerability exists due to the lack of sanitization of roles in the TimelockController function which allowed an actor with executor role to escalate privileges...