CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-31172 – OpenZeppelin Contracts's SignatureChecker may revert on invalid EIP-1271 signers
https://notcve.org/view.php?id=CVE-2022-31172
21 Jul 2022 — OpenZeppelin Contracts is a library for smart contract development. Versions 4.1.0 until 4.7.1 are vulnerable to the SignatureChecker reverting. `SignatureChecker.isValidSignatureNow` is not expected to revert. However, an incorrect assumption about Solidity 0.8's `abi.decode` allows some cases to revert, given a target contract that doesn't implement EIP-1271 as expected. The contracts that may be affected are those that use `SignatureChecker` to check the validity of a signature and handle invalid signatu... • https://github.com/OpenZeppelin/openzeppelin-contracts/pull/3552 • CWE-20: Improper Input Validation CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-41264 – UUPSUpgradeable vulnerability in OpenZeppelin Contracts
https://notcve.org/view.php?id=CVE-2021-41264
12 Nov 2021 — OpenZeppelin Contracts is a library for smart contract development. In affected versions upgradeable contracts using `UUPSUpgradeable` may be vulnerable to an attack affecting uninitialized implementation contracts. A fix is included in version 4.3.2 of `@openzeppelin/contracts` and `@openzeppelin/contracts-upgradeable`. For users unable to upgrade; initialize implementation contracts using `UUPSUpgradeable` by invoking the initializer function (usually called `initialize`). An example is provided [in the f... • https://forum.openzeppelin.com/t/security-advisory-initialize-uups-implementation-contracts/15301 • CWE-665: Improper Initialization •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2021-39167 – TimelockController vulnerability in OpenZeppelin Contracts
https://notcve.org/view.php?id=CVE-2021-39167
26 Aug 2021 — OpenZepplin is a library for smart contract development. In affected versions a vulnerability in TimelockController allowed an actor with the executor role to escalate privileges. Further details about the vulnerability will be disclosed at a later date. As a workaround revoke the executor role from accounts not strictly under the team's control. We recommend revoking all executors that are not also proposers. • https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/CHANGELOG.md#431 • CWE-269: Improper Privilege Management •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2021-39168 – TimelockController vulnerability in OpenZeppelin Contracts
https://notcve.org/view.php?id=CVE-2021-39168
26 Aug 2021 — OpenZepplin is a library for smart contract development. In affected versions a vulnerability in TimelockController allowed an actor with the executor role to escalate privileges. Further details about the vulnerability will be disclosed at a later date. As a workaround revoke the executor role from accounts not strictly under the team's control. We recommend revoking all executors that are not also proposers. • https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/security/advisories/GHSA-vrw4-w73r-6mm8 • CWE-269: Improper Privilege Management •