CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2023-30541 – TransparentUpgradeableProxy clashing selector calls may not be delegated in @openzeppelin/contracts
https://notcve.org/view.php?id=CVE-2023-30541
17 Apr 2023 — OpenZeppelin Contracts is a library for secure smart contract development. A function in the implementation contract may be inaccessible if its selector clashes with one of the proxy's own selectors. Specifically, if the clashing function has a different signature with incompatible ABI encoding, the proxy could revert while attempting to decode the arguments from calldata. The probability of an accidental clash is negligible, but one could be caused deliberately and could cause a reduction in availability. ... • https://github.com/OpenZeppelin/openzeppelin-contracts/pull/4154 • CWE-436: Interpretation Conflict •
CVSS: 5.6EPSS: 0%CPEs: 2EXPL: 0CVE-2022-39384 – OpenZeppelin Contracts initializer reentrancy may lead to double initialization
https://notcve.org/view.php?id=CVE-2022-39384
04 Nov 2022 — OpenZeppelin Contracts is a library for secure smart contract development. Before version 4.4.1 but after 3.2.0, initializer functions that are invoked separate from contract creation (the most prominent example being minimal proxies) may be reentered if they make an untrusted non-view external call. Once an initializer has finished running it can never be re-executed. However, an exception put in place to support multiple inheritance made reentrancy possible in the scenario described above, breaking the ex... • https://github.com/OpenZeppelin/openzeppelin-contracts/pull/3006 • CWE-665: Improper Initialization •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2022-35915 – Unbounded gas consumption in @openzeppelin/contracts
https://notcve.org/view.php?id=CVE-2022-35915
01 Aug 2022 — OpenZeppelin Contracts is a library for secure smart contract development. The target contract of an EIP-165 `supportsInterface` query can cause unbounded gas consumption by returning a lot of data, while it is generally assumed that this operation has a bounded cost. The issue has been fixed in v4.7.2. Users are advised to upgrade. There are no known workarounds for this issue. • https://github.com/OpenZeppelin/openzeppelin-contracts/pull/3587 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2021-39167 – TimelockController vulnerability in OpenZeppelin Contracts
https://notcve.org/view.php?id=CVE-2021-39167
26 Aug 2021 — OpenZepplin is a library for smart contract development. In affected versions a vulnerability in TimelockController allowed an actor with the executor role to escalate privileges. Further details about the vulnerability will be disclosed at a later date. As a workaround revoke the executor role from accounts not strictly under the team's control. We recommend revoking all executors that are not also proposers. • https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/CHANGELOG.md#431 • CWE-269: Improper Privilege Management •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2021-39168 – TimelockController vulnerability in OpenZeppelin Contracts
https://notcve.org/view.php?id=CVE-2021-39168
26 Aug 2021 — OpenZepplin is a library for smart contract development. In affected versions a vulnerability in TimelockController allowed an actor with the executor role to escalate privileges. Further details about the vulnerability will be disclosed at a later date. As a workaround revoke the executor role from accounts not strictly under the team's control. We recommend revoking all executors that are not also proposers. • https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/security/advisories/GHSA-vrw4-w73r-6mm8 • CWE-269: Improper Privilege Management •