CVE-2023-49798 – @openzeppelin/contracts

Package

Manager: npm
Name: @openzeppelin/contracts
Vulnerable Version: =4.9.4 || >=4.9.4 <4.9.5

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00376 pctl0.58397

Details

OpenZeppelin Contracts and Contracts Upgradeable duplicated execution of subcalls in v4.9.4 ### Context Merge conflict resolution issue when porting the v5.0.1 `Multicall` update to the v4.9 branch caused a duplicated line. ### Impact Versions using `Multicall` from `@openzeppelin/contracts@4.9.4` and `@openzeppelin/contracts-upgradeable@4.9.4` will execute each subcall twice. Concretely, this exposes a user to unintentionally duplicate operations like asset transfers. ### Patches The duplicated `delegatecall` was removed in 4.9.5. The 4.9.4 version is marked as deprecated.

Metadata

Created: 2023-12-12T00:49:25Z
Modified: 2023-12-12T00:49:25Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-699g-q6qh-q4v8/GHSA-699g-q6qh-q4v8.json
CWE IDs: ["CWE-670"]
Alternative ID: GHSA-699g-q6qh-q4v8
Finding: F164
Auto approve: 1