openzeppelin_cairo_contracts is vulnerable to Improper Verification of Cryptographic Signature. A malicious user is able to bypass signature validation to impersonate an instance of an account and gain access to confidential user data, because is_valid_eth_signature
is missing a call to finalize_keccak
after calling verify_eth_signature
, which makes it vulnerable to a malicious sequencer.
CPE | Name | Operator | Version |
---|---|---|---|
openzeppelin-cairo-contracts | le | 0.6.0 | |
openzeppelin-cairo-contracts | le | 0.6.0 |
github.com/advisories/GHSA-626q-v9j4-mcp4
github.com/OpenZeppelin/cairo-contracts/commit/8d5c0b4199a178f1d26d46c8d34de5edd97a5940
github.com/OpenZeppelin/cairo-contracts/pull/542
github.com/OpenZeppelin/cairo-contracts/pull/542/commits/6d4cb750478fca2fd916f73297632f899aca9299
github.com/OpenZeppelin/cairo-contracts/security/advisories/GHSA-626q-v9j4-mcp4