Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
NVD Vulnerability Details :
CVE-2023-40014
Analyzed
More InfoOfficial Page
Source-security-advisories@github.com
View Known Exploited Vulnerability (KEV) details
Published At-10 Aug, 2023 | 20:15
Updated At-23 Aug, 2023 | 13:48

OpenZeppelin Contracts is a library for secure smart contract development. Starting in version 4.0.0 and prior to version 4.9.3, contracts using `ERC2771Context` along with a custom trusted forwarder may see `_msgSender` return `address(0)` in calls that originate from the forwarder with calldata shorter than 20 bytes. This combination of circumstances does not appear to be common, in particular it is not the case for `MinimalForwarder` from OpenZeppelin Contracts, or any deployed forwarder the team is aware of, given that the signer address is appended to all calls that originate from these forwarders. The problem has been patched in v4.9.3.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.15.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Secondary3.15.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Type: Primary
Version: 3.1
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Type: Secondary
Version: 3.1
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CPE Matches
openzeppelin
openzeppelin
>>openzeppelin_contracts>>Versions from 4.0.0(inclusive) to 4.9.3(exclusive)
cpe:2.3:a:openzeppelin:openzeppelin_contracts:*:*:*:*:*:node.js:*:*
openzeppelin
openzeppelin
>>openzeppelin_contracts-upgradable>>Versions from 4.0.0(inclusive) to 4.9.3(exclusive)
cpe:2.3:a:openzeppelin:openzeppelin_contracts-upgradable:*:*:*:*:*:node.js:*:*
Weaknesses
CWE IDTypeSource
CWE-116Primarysecurity-advisories@github.com
CWE ID: CWE-116
Type: Primary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/OpenZeppelin/openzeppelin-contracts/commit/9445f96223041abf2bf08daa56f8da50b674cbcdsecurity-advisories@github.com
Patch
https://github.com/OpenZeppelin/openzeppelin-contracts/commit/e4435eed757d4309436b1e06608e97b6d6e2fdb5security-advisories@github.com
Patch
https://github.com/OpenZeppelin/openzeppelin-contracts/pull/4481security-advisories@github.com
Patch
Vendor Advisory
https://github.com/OpenZeppelin/openzeppelin-contracts/pull/4484security-advisories@github.com
Patch
Vendor Advisory
https://github.com/OpenZeppelin/openzeppelin-contracts/releases/tag/v4.9.3security-advisories@github.com
Release Notes
https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-g4vp-m682-qqmpsecurity-advisories@github.com
Vendor Advisory
Hyperlink: https://github.com/OpenZeppelin/openzeppelin-contracts/commit/9445f96223041abf2bf08daa56f8da50b674cbcd
Source: security-advisories@github.com
Resource:
Patch
Hyperlink: https://github.com/OpenZeppelin/openzeppelin-contracts/commit/e4435eed757d4309436b1e06608e97b6d6e2fdb5
Source: security-advisories@github.com
Resource:
Patch
Hyperlink: https://github.com/OpenZeppelin/openzeppelin-contracts/pull/4481
Source: security-advisories@github.com
Resource:
Patch
Vendor Advisory
Hyperlink: https://github.com/OpenZeppelin/openzeppelin-contracts/pull/4484
Source: security-advisories@github.com
Resource:
Patch
Vendor Advisory
Hyperlink: https://github.com/OpenZeppelin/openzeppelin-contracts/releases/tag/v4.9.3
Source: security-advisories@github.com
Resource:
Release Notes
Hyperlink: https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-g4vp-m682-qqmp
Source: security-advisories@github.com
Resource:
Vendor Advisory
Change History
0Changes found
Details not found