CVE-2022-31172

Опубликовано: 22 июл. 2022

Источник: nvd

CVSS3: 7.5

EPSS Низкий

Описание

OpenZeppelin Contracts is a library for smart contract development. Versions 4.1.0 until 4.7.1 are vulnerable to the SignatureChecker reverting. SignatureChecker.isValidSignatureNow is not expected to revert. However, an incorrect assumption about Solidity 0.8's abi.decode allows some cases to revert, given a target contract that doesn't implement EIP-1271 as expected. The contracts that may be affected are those that use SignatureChecker to check the validity of a signature and handle invalid signatures in a way other than reverting. The issue was patched in version 4.7.1.

Ссылки

https://github.com/OpenZeppelin/openzeppelin-contracts/pull/3552
Patch
Third Party Advisory
https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-4g63-c64m-25w9
Third Party Advisory
https://github.com/OpenZeppelin/openzeppelin-contracts/pull/3552
Patch
Third Party Advisory
https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-4g63-c64m-25w9
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:openzeppelin:contracts:*:*:*:*:*:node.js:*:*

Версия от 4.1.0 (включая) до 4.7.1 (исключая)

EPSS

Процентиль: 30%

0.00114

Низкий

7.5 High

CVSS3

Дефекты

CWE-20

CWE-347

Связанные уязвимости

GHSA-4g63-c64m-25w9