// For flags

CVE-2021-46320

 

Severity Score

7.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

In OpenZeppelin <=v4.4.0, initializer functions that are invoked separate from contract creation (the most prominent example being minimal proxies) may be reentered if they make an untrusted non-view external call. Once an initializer has finished running it can never be re-executed. However, an exception put in place to support multiple inheritance made reentrancy possible, breaking the expectation that there is a single execution.

En OpenZeppelin versiones anteriores a v4.4.0 incluyéndola, las funciones del inicializador que son invocadas de forma independiente a la creación del contrato (el ejemplo más destacado son los proxies mínimos) pueden volver a entrar si realizan una llamada externa no confiable. Una vez que un inicializador ha terminado de ejecutarse no puede volver a ejecutarse. Sin embargo, una excepción puesta en marcha para soportar la herencia múltiple hizo posible la reentrada, rompiendo la expectativa de que se presenta una única ejecución

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
None
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2022-01-18 CVE Reserved
  • 2022-02-04 CVE Published
  • 2024-08-04 CVE Updated
  • 2024-12-17 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-665: Improper Initialization
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Openzeppelin
Search vendor "Openzeppelin"
 Openzeppelin
Search vendor "Openzeppelin" for product "Openzeppelin"
 >= 3.2.0 <= 4.4.0
Search vendor "Openzeppelin" for product "Openzeppelin" and version " >= 3.2.0 <= 4.4.0"
-
Affected