search

KOSASIH / pi-nexus-autonomous-banking-network

A decentralized, AI-driven system accelerating the Open Mainet Pi Network, connecting global banks for secure, efficient, and autonomous transactions.
https://kosasih.github.io/pi-nexus-autonomous-banking-network/
MIT License
86 stars 19 forks source link

openzeppelin-solidity-2.5.1.tgz: 1 vulnerabilities (highest severity is: 5.3) #1347

Open mend-bolt-for-github[bot] opened 3 weeks ago

mend-bolt-for-github[bot] commented 3 weeks ago
Vulnerable Library - openzeppelin-solidity-2.5.1.tgz

Secure Smart Contract library for Solidity

Library home page: https://registry.npmjs.org/openzeppelin-solidity/-/openzeppelin-solidity-2.5.1.tgz

Path to dependency file: /blockchain_integration/pi_network/contracts/package.json

Path to vulnerable library: /blockchain_integration/pi_network/contracts/node_modules/openzeppelin-solidity/package.json

Found in HEAD commit: d3541aa3e3fabe96b343bad4a2627e5d1fbf8c36

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (openzeppelin-solidity version) Remediation Possible**
CVE-2022-35915 Medium 5.3 openzeppelin-solidity-2.5.1.tgz Direct 4.8.1

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2022-35915 ### Vulnerable Library - openzeppelin-solidity-2.5.1.tgz

Secure Smart Contract library for Solidity

Library home page: https://registry.npmjs.org/openzeppelin-solidity/-/openzeppelin-solidity-2.5.1.tgz

Path to dependency file: /blockchain_integration/pi_network/contracts/package.json

Path to vulnerable library: /blockchain_integration/pi_network/contracts/node_modules/openzeppelin-solidity/package.json

Dependency Hierarchy: - :x: **openzeppelin-solidity-2.5.1.tgz** (Vulnerable Library)

Found in HEAD commit: d3541aa3e3fabe96b343bad4a2627e5d1fbf8c36

Found in base branch: main

### Vulnerability Details

OpenZeppelin Contracts is a library for secure smart contract development. The target contract of an EIP-165 `supportsInterface` query can cause unbounded gas consumption by returning a lot of data, while it is generally assumed that this operation has a bounded cost. The issue has been fixed in v4.7.2. Users are advised to upgrade. There are no known workarounds for this issue.

Publish Date: 2022-08-01

URL: CVE-2022-35915

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-7grf-83vw-6f5x

Release Date: 2022-08-01

Fix Resolution: 4.8.1

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)