CVE-2024-45304

Cairo-Contracts are OpenZeppelin Contracts written in Cairo for Starknet, a decentralized ZK Rollup. This vulnerability can lead to unauthorized ownership transfer, contrary to the original owner's intention of leaving the contract without an owner. It introduces a security risk where an unintended party (pending owner) can gain control of the contract after the original owner has renounced ownership. This could also be used by a malicious owner to simulate leaving a contract without an owner, to later regain ownership by previously having proposed himself as a pending owner. This issue has been addressed in release version 0.16.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/OpenZeppelin/cairo-contracts/commit/ef87d7847980e0cf83f4b7f3ff23e6590fb643ec	Patch
https://github.com/OpenZeppelin/cairo-contracts/releases/tag/v0.16.0	Release Notes
https://github.com/OpenZeppelin/cairo-contracts/security/advisories/GHSA-w2px-25pm-2cf9	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:openzeppelin:contracts:*:*:*:*:*:cairo:*:*

History

19 Sep 2024, 17:26

Type	Values Removed	Values Added
First Time		Openzeppelin contracts Openzeppelin
CPE		cpe:2.3:a:openzeppelin:contracts::::::cairo::*
CVSS	v2 : ~~unknown~~ v3 : ~~5.3~~	v2 : unknown v3 : 6.5
References	~~() https://github.com/OpenZeppelin/cairo-contracts/commit/ef87d7847980e0cf83f4b7f3ff23e6590fb643ec -~~	() https://github.com/OpenZeppelin/cairo-contracts/commit/ef87d7847980e0cf83f4b7f3ff23e6590fb643ec - Patch
References	~~() https://github.com/OpenZeppelin/cairo-contracts/releases/tag/v0.16.0 -~~	() https://github.com/OpenZeppelin/cairo-contracts/releases/tag/v0.16.0 - Release Notes
References	~~() https://github.com/OpenZeppelin/cairo-contracts/security/advisories/GHSA-w2px-25pm-2cf9 -~~	() https://github.com/OpenZeppelin/cairo-contracts/security/advisories/GHSA-w2px-25pm-2cf9 - Vendor Advisory

03 Sep 2024, 12:59

Type	Values Removed	Values Added
Summary		(es) Los contratos Cairo son contratos OpenZeppelin escritos en Cairo para Starknet, un ZK Rollup descentralizado. Esta vulnerabilidad puede provocar una transferencia de propiedad no autorizada, contraria a la intención del propietario original de dejar el contrato sin propietario. Introduce un riesgo de seguridad en el que una parte no deseada (propietario pendiente) puede obtener el control del contrato después de que el propietario original haya renunciado a la propiedad. Esto también podría ser utilizado por un propietario malintencionado para simular que deja un contrato sin propietario, para luego recuperar la propiedad habiéndose propuesto previamente como propietario pendiente. Este problema se ha solucionado en la versión de lanzamiento 0.16.0. Se recomienda a todos los usuarios que actualicen. No existen workarounds para esta vulnerabilidad.

31 Aug 2024, 00:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-08-31 00:15

Updated : 2024-09-19 17:26

NVD link : CVE-2024-45304

Mitre link : CVE-2024-45304

CVE.ORG link : CVE-2024-45304

JSON object : View

Products Affected

openzeppelin

contracts

CWE

CWE-670

Always-Incorrect Control Flow Implementation

6.5 /10