OpenZeppelin Contracts is a library for secure smart contract development. The target contract of an EIP-165 `supportsInterface` query can cause unbounded gas consumption by returning a lot of data, while it is generally assumed that this operation has a bounded cost. The issue has been fixed in v4.7.2. Users are advised to upgrade. There are no known workarounds for this issue.
CVE-2022-35915 - Medium Severity Vulnerability
Vulnerable Libraries - contracts-3.3.0.tgz, contracts-upgradeable-3.4.1.tgz
contracts-3.3.0.tgz
Secure Smart Contract library for Solidity
Library home page: https://registry.npmjs.org/@openzeppelin/contracts/-/contracts-3.3.0.tgz
Path to dependency file: /net-emissions-token-network/package.json
Path to vulnerable library: /net-emissions-token-network/package.json
Dependency Hierarchy: - :x: **contracts-3.3.0.tgz** (Vulnerable Library)
contracts-upgradeable-3.4.1.tgz
Secure Smart Contract library for Solidity
Library home page: https://registry.npmjs.org/@openzeppelin/contracts-upgradeable/-/contracts-upgradeable-3.4.1.tgz
Path to dependency file: /net-emissions-token-network/package.json
Path to vulnerable library: /net-emissions-token-network/package.json
Dependency Hierarchy: - :x: **contracts-upgradeable-3.4.1.tgz** (Vulnerable Library)
Found in HEAD commit: d388e16464e00b9ce84df0d247029f534a429b90
Found in base branch: main
Vulnerability Details
OpenZeppelin Contracts is a library for secure smart contract development. The target contract of an EIP-165 `supportsInterface` query can cause unbounded gas consumption by returning a lot of data, while it is generally assumed that this operation has a bounded cost. The issue has been fixed in v4.7.2. Users are advised to upgrade. There are no known workarounds for this issue.
Publish Date: 2022-08-01
URL: CVE-2022-35915
CVSS 3 Score Details (5.3)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-7grf-83vw-6f5x
Release Date: 2022-08-01
Fix Resolution: 4.7.2
Step up your Open Source Security Game with Mend here