CVE-2023-40014
MEDIUM5.3EPSS 0.61%OpenZeppelin Contracts vulnerable to Improper Escaping of Output
Published: 8/11/2023Modified: 11/8/2023
Also known as:GHSA-g4vp-m682-qqmp
Description
### Impact OpenZeppelin Contracts is a library for secure smart contract development. Starting in version 4.0.0 and prior to version 4.9.3, contracts using `ERC2771Context` along with a custom trusted forwarder may see `_msgSender` return `address(0)` in calls that originate from the forwarder with calldata shorter than 20 bytes. This combination of circumstances does not appear to be common, in particular it is not the case for `MinimalForwarder` from OpenZeppelin Contracts, or any deployed forwarder the team is aware of, given that the signer address is appended to all calls that originate from these forwarders. ### Patches The problem has been patched in v4.9.3.
Affected packages (2)
- npm/@openzeppelin/contracts>= 4.0.0, < 4.9.3
- npm/@openzeppelin/contracts-upgradeable>= 4.0.0, < 4.9.3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
References (9)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-40014
- PATCHhttps://github.com/OpenZeppelin/openzeppelin-contracts
- WEBhttps://github.com/OpenZeppelin/openzeppelin-contracts/blob/v4.9.3/CHANGELOG.md
- WEBhttps://github.com/OpenZeppelin/openzeppelin-contracts/commit/9445f96223041abf2bf08daa56f8da50b674cbcd
- WEBhttps://github.com/OpenZeppelin/openzeppelin-contracts/commit/e4435eed757d4309436b1e06608e97b6d6e2fdb5
- WEBhttps://github.com/OpenZeppelin/openzeppelin-contracts/pull/4481
- WEBhttps://github.com/OpenZeppelin/openzeppelin-contracts/pull/4484
- WEBhttps://github.com/OpenZeppelin/openzeppelin-contracts/releases/tag/v4.9.3
- WEBhttps://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-g4vp-m682-qqmp