Lucene search

K
veracodeVeracode Vulnerability DatabaseVERACODE:41012
HistoryJun 26, 2023 - 7:28 a.m.

Improper Input Validation

2023-06-2607:28:26
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
4
vulnerability
input validation
insecure contracts
multiproof verification
0 value node
depth 1
merkle tree
balanced trees

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

0.001 Low

EPSS

Percentile

35.4%

@openzeppelin/contracts and @openzeppelin/contracts-upgradeable are vulnerable to Improper Input Validation. If a contract uses multiproofs for verification and the merkle tree processing includes a node with value 0 at depth 1, then the contract may be insecure. Balanced trees with three or fewer leaves may accidentally experience this, or a malicious tree builder is able to purposefully add such a node in the tree.

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

0.001 Low

EPSS

Percentile

35.4%

Related for VERACODE:41012