CVE-2023-23940
OpenZeppelin Contracts contains Improper Verification of Cryptographic Signature
Description
OpenZeppelin Contracts for Cairo is a library for secure smart contract development written in Cairo for StarkNet, a decentralized ZK Rollup. `is_valid_eth_signature` is missing a call to `finalize_keccak` after calling `verify_eth_signature`. As a result, any contract using `is_valid_eth_signature` from the account library (such as the `EthAccount` preset) is vulnerable to a malicious sequencer. Specifically, the malicious sequencer would be able to bypass signature validation to impersonate an instance of these accounts. The issue has been patched in 0.6.1.
How to fix CVE-2023-23940
To remediate CVE-2023-23940, upgrade the affected package to a fixed version below.
- —upgrade to 0.6.1 or later
- —upgrade to 6d4cb750478fca2fd916f73297632f899aca9299 or later
Is CVE-2023-23940 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- >= 0.2.0, < 0.6.1
- from 0, < 6d4cb750478fca2fd916f73297632f899aca9299 | >= 0.2.0, < 0.6.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N |