Lucene search
K
OpenzeppelinContracts Upgradeable

12 matches found

CVE
CVE
added 2024/02/29 6:18 p.m.107 views

CVE-2024-27094

OpenZeppelin Contracts Base64.encode has a memory-read flaw when input length is not a multiple of 3, risking corruption of the encoded output. This affects OpenZeppelin Contracts (and upgradeable) prior to versions 5.0.2 and 4.9.6. Remediation: upgrade to 5.0.2 or 4.9.6. No exploit details are p...

7.4CVSS6.3AI score0.00763EPSS
CVE
CVE
added 2023/06/16 10:13 p.m.93 views

CVE-2023-34459

OpenZeppelin Contracts (versions 4.7.0–4.9.1) are affected by a multiproof forgery issue when using verifyMultiProof/verifyMultiProofCalldata/processMultiProof/processMultiProofCalldata. If the merkle tree includes a node with value 0 at depth 1 under the root, a adversarial or certain benign tre...

5.9CVSS5.3AI score0.00371EPSS
CVE
CVE
added 2022/08/14 12:5 a.m.85 views

CVE-2022-35961

OpenZeppelin Contracts (ECDSA.recover and ECDSA.tryRecover) suffer signature malleability due to acceptance of EIP-2098 compact signatures in the single-bytes variants (not when using r, v, s or r, vs). This could allow a reused/double-submitted signature to bypass replay protection in contracts ...

7.9CVSS6.8AI score0.00336EPSS
CVE
CVE
added 2022/08/01 9:5 p.m.78 views

CVE-2022-35915

OpenZeppelin Contracts contains a vulnerability in the ERC165 supportsInterface logic where querying a target contract can cause unbounded gas consumption by returning a large amount of data. The issue is fixed in version 4.7.2; users are advised to upgrade. There are no public workarounds noted....

5.3CVSS5.1AI score0.00635EPSS
CVE
CVE
added 2022/08/01 9:0 p.m.78 views

CVE-2022-35916

OpenZeppelin Contracts vulnerability CVE-2022-35916 affects cross-chain utilities for Arbitrum L2, specifically CrossChainEnabledArbitrumL2 and LibArbitrumL2. The issue classifies direct interactions of EOAs as cross-chain calls, even when not initiated on L1, due to how cross-chain interactions ...

5.3CVSS5.1AI score0.00475EPSS
CVE
CVE
added 2022/11/04 12:0 a.m.72 views

CVE-2022-39384

OpenZeppelin Contracts (3.2.0–4.4.1) contain an initializer reentrancy issue caused by an exception used to support multiple inheritance, allowing reentry when an untrusted non-view external call is made during initialization. The impact is described as minor since upgradeable proxies are usually...

5.6CVSS6AI score0.00494EPSS
CVE
CVE
added 2023/04/16 7:10 a.m.68 views

CVE-2023-30542

CVE-2023-30542 concerns OpenZeppelin Contracts’ GovernorCompatibilityBravo: the propose entrypoint may allow a signatures array shorter than the calldatas array, causing extra calldatas to be ignored and potentially executing actions without calldata if the proposal passes. The event reflects wha...

8.8CVSS7.7AI score0.00584EPSS
CVE
CVE
added 2022/08/01 9:0 p.m.67 views

CVE-2022-31198

OpenZeppelin Contracts: GovernorVotesQuorumFraction vulnerability where lowering quorum could make past defeated proposals executable if votes meet the new quorum. Affected: GovernorVotesQuorumFraction-based governors in OpenZeppelin Contracts. Root cause: quorum is a percentage of total supply, ...

7.5CVSS7.4AI score0.00626EPSS
CVE
CVE
added 2023/03/03 9:8 p.m.67 views

CVE-2023-26488

OpenZeppelin Contracts ERC721Consecutive has a balance-update bug for batches of size 1, causing balanceOf to overflow. Root cause: balances not updated after mint/batch transfers. Impact is partial (balance overflow risk) and fixes were applied in version 4.8.2; update to 4.8.2 or later to remed...

6.5CVSS6.6AI score0.00713EPSS
CVE
CVE
added 2023/12/08 11:35 p.m.62 views

CVE-2023-49798

OpenZeppelin Contracts’ CVE-2023-49798 relates to a merge-conflict error in the Multicall.sol implementation that caused all subcalls to be executed twice in versions @openzeppelin/[email protected] and @openzeppelin/[email protected]. This duplication could lead to unintended duplicate o...

7.5CVSS6.5AI score0.00543EPSS
CVE
CVE
added 2023/04/17 9:37 p.m.59 views

CVE-2023-30541

OpenZeppelin Contracts vulnerability CVE-2023-30541: The TransparentUpgradeableProxy can fail to delegate a function if its selector clashes with the proxy’s own selectors, causing a revert during calldata decoding when signatures are incompatible. The issue has been fixed in version 4.8.3. Impac...

5.3CVSS5.1AI score0.00812EPSS
CVE
CVE
added 2023/06/07 5:6 p.m.58 views

CVE-2023-34234

OpenZeppelin Contracts’ Governor-related vulnerability (CVE-2023-34234) allows an attacker to frontrun the creation of a proposal, enabling the attacker to become the proposer and repeatedly cancel proposals. Affected: Governor (v4.9.0) and GovernorCompatibilityBravo (since v4.3.0). Root cause: l...

5.3CVSS5.2AI score0.00595EPSS