CVE-2022-35916

OpenZeppelin Contracts is a library for secure smart contract development. Contracts using the cross chain utilities for Arbitrum L2, `CrossChainEnabledArbitrumL2` or `LibArbitrumL2`, will classify direct interactions of externally owned accounts (EOAs) as cross chain calls, even though they are not started on L1. This issue has been patched in v4.7.2. Users are advised to upgrade. There are no known workarounds for this issue.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/OpenZeppelin/openzeppelin-contracts/pull/3578	Patch Third Party Advisory
https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-9j3m-g383-29qr	Third Party Advisory
https://github.com/OpenZeppelin/openzeppelin-contracts/pull/3578	Patch Third Party Advisory
https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-9j3m-g383-29qr	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:openzeppelin:contracts::::::node.js::*
	cpe:2.3:a:openzeppelin:contracts_upgradeable::::::node.js::*

History

21 Nov 2024, 07:11

Type	Values Removed	Values Added
References	~~() https://github.com/OpenZeppelin/openzeppelin-contracts/pull/3578 - Patch, Third Party Advisory~~	() https://github.com/OpenZeppelin/openzeppelin-contracts/pull/3578 - Patch, Third Party Advisory
References	~~() https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-9j3m-g383-29qr - Third Party Advisory~~	() https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-9j3m-g383-29qr - Third Party Advisory

Information

Published : 2022-08-01 21:15

Updated : 2024-11-21 07:11

NVD link : CVE-2022-35916

Mitre link : CVE-2022-35916

CVE.ORG link : CVE-2022-35916

JSON object : View

Products Affected

openzeppelin

contracts_upgradeable
contracts

CWE

CWE-669

Incorrect Resource Transfer Between Spheres

{"id": "CVE-2022-35916", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2022-08-01T21:15:13.753", "references": [{"url": "https://github.com/OpenZeppelin/openzeppelin-contracts/pull/3578", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-9j3m-g383-29qr", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/OpenZeppelin/openzeppelin-contracts/pull/3578", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-9j3m-g383-29qr", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-669"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-669"}]}], "descriptions": [{"lang": "en", "value": "OpenZeppelin Contracts is a library for secure smart contract development. Contracts using the cross chain utilities for Arbitrum L2, `CrossChainEnabledArbitrumL2` or `LibArbitrumL2`, will classify direct interactions of externally owned accounts (EOAs) as cross chain calls, even though they are not started on L1. This issue has been patched in v4.7.2. Users are advised to upgrade. There are no known workarounds for this issue."}, {"lang": "es", "value": "OpenZeppelin Contracts es una biblioteca para el desarrollo de contratos inteligentes seguros. Los contratos que usan las utilidades de cadena cruzada para Arbitrum L2, \"CrossChainEnabledArbitrumL2\" o \"LibArbitrumL2\", clasificar\u00e1n las interacciones directas de las cuentas de propiedad externa (EOA) como llamadas de cadena cruzada, aunque no sean iniciadas en L1. Este problema ha sido corregido en versi\u00f3n 4.7.2. Es recomendado a usuarios actualizar. No se presentan mitigaciones conocidas para este problema"}], "lastModified": "2024-11-21T07:11:57.320", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:openzeppelin:contracts:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "04F2A7F9-E694-4DE8-8681-60EDE2012D1F", "versionEndExcluding": "4.7.2", "versionStartIncluding": "4.6.0"}, {"criteria": "cpe:2.3:a:openzeppelin:contracts_upgradeable:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "0F982DD5-DE20-42F0-9E29-9EC41840D6C7", "versionEndExcluding": "4.7.2", "versionStartIncluding": "4.6.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}