OpenZeppelin Contracts is a library for smart contract development. A merge issue when porting the 5.0.1 patch to the 4.9 branch caused a line duplication. In the version of `Multicall.sol` released in `@openzeppelin/contracts@4.9.4` and `@openzeppelin/contracts-upgradeable@4.9.4`, all subcalls are executed twice. Concretely, this exposes a user to unintentionally duplicate operations like asset transfers. The duplicated delegatecall was removed in version 4.9.5. The 4.9.4 version is marked as deprecated. Users are advised to upgrade. There are no known workarounds for this issue.
References
Configurations
Configuration 1 (hide)
|
History
21 Nov 2024, 08:33
| Type | Values Removed | Values Added |
|---|---|---|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.9 |
| References | () https://github.com/OpenZeppelin/openzeppelin-contracts/commit/88ac712e06832bce73b41e8166cded2729e25205 - Patch | |
| References | () https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-699g-q6qh-q4v8 - Vendor Advisory |
13 Dec 2023, 17:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2023-12-09 00:15
Updated : 2024-11-21 08:33
NVD link : CVE-2023-49798
Mitre link : CVE-2023-49798
CVE.ORG link : CVE-2023-49798
JSON object : View
Products Affected
openzeppelin
- contracts_upgradeable
- contracts
CWE
CWE-670
Always-Incorrect Control Flow Implementation