Описание
OpenZeppelin Contracts is a library for smart contract development. In affected versions upgradeable contracts using UUPSUpgradeable may be vulnerable to an attack affecting uninitialized implementation contracts. A fix is included in version 4.3.2 of @openzeppelin/contracts and @openzeppelin/contracts-upgradeable. For users unable to upgrade; initialize implementation contracts using UUPSUpgradeable by invoking the initializer function (usually called initialize). An example is provided in the forum.
Ссылки
- Issue TrackingMitigationPatchVendor Advisory
- PatchThird Party Advisory
- Third Party Advisory
- Issue TrackingMitigationPatchVendor Advisory
- PatchThird Party Advisory
- Third Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия от 4.1.0 (включая) до 4.3.2 (исключая)
cpe:2.3:a:openzeppelin:contracts:*:*:*:*:*:node.js:*:*
EPSS
Процентиль: 70%
0.00641
Низкий
9.8 Critical
CVSS3
7.5 High
CVSS2
Дефекты
CWE-665
Связанные уязвимости
CVSS3: 9.8
github
больше 4 лет назад
UUPSUpgradeable vulnerability in @openzeppelin/contracts
EPSS
Процентиль: 70%
0.00641
Низкий
9.8 Critical
CVSS3
7.5 High
CVSS2
Дефекты
CWE-665