CVSS: 5.9EPSS: 0%CPEs: 2EXPL: 0CVE-2023-34459 – OpenZeppelin Contracts's MerkleProof multiproofs may allow proving arbitrary leaves for specific trees
https://notcve.org/view.php?id=CVE-2023-34459
16 Jun 2023 — OpenZeppelin Contracts is a library for smart contract development. Starting in version 4.7.0 and prior to version 4.9.2, when the `verifyMultiProof`, `verifyMultiProofCalldata`, `procesprocessMultiProof`, or `processMultiProofCalldat` functions are in use, it is possible to construct merkle trees that allow forging a valid multiproof for an arbitrary set of leaves. A contract may be vulnerable if it uses multiproofs for verification and the merkle tree that is processed includes a node with value 0 at dept... • https://github.com/OpenZeppelin/openzeppelin-contracts/commit/4d2383e17186be3e8ccf5a442e9686ecc7de1c55 • CWE-354: Improper Validation of Integrity Check Value •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2023-34234 – Governor proposal creation may be blocked by frontrunning in OpenZeppelin
https://notcve.org/view.php?id=CVE-2023-34234
07 Jun 2023 — OpenZeppelin Contracts is a library for smart contract development. By frontrunning the creation of a proposal, an attacker can become the proposer and gain the ability to cancel it. The attacker can do this repeatedly to try to prevent a proposal from being proposed at all. This impacts the `Governor` contract in v4.9.0 only, and the `GovernorCompatibilityBravo` contract since v4.3.0. This problem has been patched in 4.9.1 by introducing opt-in frontrunning protection. • https://github.com/OpenZeppelin/openzeppelin-contracts/commit/d9474327a492f9f310f31bc53f38dbea56ed9a57 • CWE-862: Missing Authorization •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2023-30541 – TransparentUpgradeableProxy clashing selector calls may not be delegated in @openzeppelin/contracts
https://notcve.org/view.php?id=CVE-2023-30541
17 Apr 2023 — OpenZeppelin Contracts is a library for secure smart contract development. A function in the implementation contract may be inaccessible if its selector clashes with one of the proxy's own selectors. Specifically, if the clashing function has a different signature with incompatible ABI encoding, the proxy could revert while attempting to decode the arguments from calldata. The probability of an accidental clash is negligible, but one could be caused deliberately and could cause a reduction in availability. ... • https://github.com/OpenZeppelin/openzeppelin-contracts/pull/4154 • CWE-436: Interpretation Conflict •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2023-30542 – GovernorCompatibilityBravo may trim proposal calldata
https://notcve.org/view.php?id=CVE-2023-30542
16 Apr 2023 — OpenZeppelin Contracts is a library for secure smart contract development. The proposal creation entrypoint (`propose`) in `GovernorCompatibilityBravo` allows the creation of proposals with a `signatures` array shorter than the `calldatas` array. This causes the additional elements of the latter to be ignored, and if the proposal succeeds the corresponding actions would eventually execute without any calldata. The `ProposalCreated` event correctly represents what will eventually execute, but the proposal pa... • https://github.com/OpenZeppelin/openzeppelin-contracts/releases/tag/v4.8.3 • CWE-20: Improper Input Validation •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-26488 – OpenZeppelin Contracts contains Incorrect Calculation
https://notcve.org/view.php?id=CVE-2023-26488
03 Mar 2023 — OpenZeppelin Contracts is a library for secure smart contract development. The ERC721Consecutive contract designed for minting NFTs in batches does not update balances when a batch has size 1 and consists of a single token. Subsequent transfers from the receiver of that token may overflow the balance as reported by `balanceOf`. The issue exclusively presents with batches of size 1. The issue has been patched in 4.8.2. • https://github.com/OpenZeppelin/openzeppelin-contracts/commit/167bf67ed3907f4a674043496019fa346cee7705 • CWE-682: Incorrect Calculation •