GHSA-5vp3-v4hc-gx76

Опубликовано: 15 сент. 2021

Источник: github

Github: Прошло ревью

CVSS3: 9.8

Описание

UUPSUpgradeable vulnerability in @openzeppelin/contracts

Impact

Upgradeable contracts using UUPSUpgradeable may be vulnerable to an attack affecting uninitialized implementation contracts. We will update this advisory with more information soon.

Patches

A fix is included in version 4.3.2 of @openzeppelin/contracts and @openzeppelin/contracts-upgradeable.

Workarounds

Initialize implementation contracts using UUPSUpgradeable by invoking the initializer function (usually called initialize). An example is provided in the forum.

References

Post-mortem.

For more information

If you have any questions or comments about this advisory, or need assistance executing the mitigation, email us at security@openzeppelin.com.

Ссылки

Пакеты

Наименование

@openzeppelin/contracts

npm

Затронутые версииВерсия исправления

>= 4.1.0, < 4.3.2

4.3.2

Наименование

@openzeppelin/contracts-upgradeable

npm

Затронутые версииВерсия исправления

>= 4.1.0, < 4.3.2

4.3.2

EPSS

Процентиль: 70%

0.00641

Низкий

9.8 Critical

CVSS3

CVE ID

CVE-2021-41264

Дефекты

CWE-665

Связанные уязвимости

CVE-2021-41264

CVSS3: 9.8

nvd

около 4 лет назад

OpenZeppelin Contracts is a library for smart contract development. In affected versions upgradeable contracts using `UUPSUpgradeable` may be vulnerable to an attack affecting uninitialized implementation contracts. A fix is included in version 4.3.2 of `@openzeppelin/contracts` and `@openzeppelin/contracts-upgradeable`. For users unable to upgrade; initialize implementation contracts using `UUPSUpgradeable` by invoking the initializer function (usually called `initialize`). An example is provided [in the forum](https://forum.openzeppelin.com/t/security-advisory-initialize-uups-implementation-contracts/15301).

EPSS

Процентиль: 70%

0.00641

Низкий

9.8 Critical

CVSS3

CVE ID

CVE-2021-41264

Дефекты

CWE-665