CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-27094 – OpenZeppelin Contracts base64 encoding may read from potentially dirty memory
https://notcve.org/view.php?id=CVE-2024-27094
29 Feb 2024 — OpenZeppelin Contracts is a library for secure smart contract development. The `Base64.encode` function encodes a `bytes` input by iterating over it in chunks of 3 bytes. When this input is not a multiple of 3, the last iteration may read parts of the memory that are beyond the input buffer. The vulnerability is fixed in 5.0.2 and 4.9.6. OpenZeppelin Contracts es una librería para el desarrollo seguro de contratos inteligentes. • https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/commit/2d081f24cac1a867f6f73d512f2022e1fa987854 • CWE-125: Out-of-bounds Read •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2023-40014 – OpenZeppelin Contracts's ERC2771Context with custom forwarder may lead to zero-valued _msgSender
https://notcve.org/view.php?id=CVE-2023-40014
10 Aug 2023 — OpenZeppelin Contracts is a library for secure smart contract development. Starting in version 4.0.0 and prior to version 4.9.3, contracts using `ERC2771Context` along with a custom trusted forwarder may see `_msgSender` return `address(0)` in calls that originate from the forwarder with calldata shorter than 20 bytes. This combination of circumstances does not appear to be common, in particular it is not the case for `MinimalForwarder` from OpenZeppelin Contracts, or any deployed forwarder the team is awar... • https://github.com/OpenZeppelin/openzeppelin-contracts/commit/9445f96223041abf2bf08daa56f8da50b674cbcd • CWE-116: Improper Encoding or Escaping of Output •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2022-35915 – Unbounded gas consumption in @openzeppelin/contracts
https://notcve.org/view.php?id=CVE-2022-35915
01 Aug 2022 — OpenZeppelin Contracts is a library for secure smart contract development. The target contract of an EIP-165 `supportsInterface` query can cause unbounded gas consumption by returning a lot of data, while it is generally assumed that this operation has a bounded cost. The issue has been fixed in v4.7.2. Users are advised to upgrade. There are no known workarounds for this issue. • https://github.com/OpenZeppelin/openzeppelin-contracts/pull/3587 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-46320
https://notcve.org/view.php?id=CVE-2021-46320
04 Feb 2022 — In OpenZeppelin <=v4.4.0, initializer functions that are invoked separate from contract creation (the most prominent example being minimal proxies) may be reentered if they make an untrusted non-view external call. Once an initializer has finished running it can never be re-executed. However, an exception put in place to support multiple inheritance made reentrancy possible, breaking the expectation that there is a single execution. En OpenZeppelin versiones anteriores a v4.4.0 incluyéndola, las funciones d... • https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-9c22-pwxw-p6hx • CWE-665: Improper Initialization •