OpenZeppelin Contracts is a library for secure smart contract development. The target contract of an EIP-165 `supportsInterface` query can cause unbounded gas consumption by returning a lot of data, while it is generally assumed that this operation has a bounded cost. The issue has been fixed in v4.7.2. Users are advised to upgrade. There are no known workarounds for this issue.
Vulnerable Library - openzeppelin-solidity-2.5.1.tgz
Secure Smart Contract library for Solidity
Library home page: https://registry.npmjs.org/openzeppelin-solidity/-/openzeppelin-solidity-2.5.1.tgz
Path to dependency file: /blockchain_integration/pi_network/contracts/package.json
Path to vulnerable library: /blockchain_integration/pi_network/contracts/node_modules/openzeppelin-solidity/package.json
Found in HEAD commit: d3541aa3e3fabe96b343bad4a2627e5d1fbf8c36
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2022-35915
### Vulnerable Library - openzeppelin-solidity-2.5.1.tgzSecure Smart Contract library for Solidity
Library home page: https://registry.npmjs.org/openzeppelin-solidity/-/openzeppelin-solidity-2.5.1.tgz
Path to dependency file: /blockchain_integration/pi_network/contracts/package.json
Path to vulnerable library: /blockchain_integration/pi_network/contracts/node_modules/openzeppelin-solidity/package.json
Dependency Hierarchy: - :x: **openzeppelin-solidity-2.5.1.tgz** (Vulnerable Library)
Found in HEAD commit: d3541aa3e3fabe96b343bad4a2627e5d1fbf8c36
Found in base branch: main
### Vulnerability DetailsOpenZeppelin Contracts is a library for secure smart contract development. The target contract of an EIP-165 `supportsInterface` query can cause unbounded gas consumption by returning a lot of data, while it is generally assumed that this operation has a bounded cost. The issue has been fixed in v4.7.2. Users are advised to upgrade. There are no known workarounds for this issue.
Publish Date: 2022-08-01
URL: CVE-2022-35915
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-7grf-83vw-6f5x
Release Date: 2022-08-01
Fix Resolution: 4.8.1
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)