logo

Database

OS Command Injection In @openzeppelin/contracts

Description

OpenZeppelin Contracts vulnerable to Improper Escaping of Output

Impact

OpenZeppelin Contracts is a library for secure smart contract development. Starting in version 4.0.0 and prior to version 4.9.3, contracts using ERC2771Context along with a custom trusted forwarder may see _msgSender return address(0) in calls that originate from the forwarder with calldata shorter than 20 bytes. This combination of circumstances does not appear to be common, in particular it is not the case for MinimalForwarder from OpenZeppelin Contracts, or any deployed forwarder the team is aware of, given that the signer address is appended to all calls that originate from these forwarders.

Patches

The problem has been patched in v4.9.3.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2023-400142. NVD-2023-400143. OSV-2023-400144. GHSA-g4vp-m682-qqmp5. GCVE-2023-40014

References

1. https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-g4vp-m682-qqmp2. https://github.com/OpenZeppelin/openzeppelin-contracts/pull/44813. https://github.com/OpenZeppelin/openzeppelin-contracts/pull/44844. https://github.com/OpenZeppelin/openzeppelin-contracts/commit/9445f96223041abf2bf08daa56f8da50b674cbcd5. https://github.com/OpenZeppelin/openzeppelin-contracts/commit/e4435eed757d4309436b1e06608e97b6d6e2fdb56. https://github.com/OpenZeppelin/openzeppelin-contracts/blob/v4.9.3/CHANGELOG.md7. https://github.com/OpenZeppelin/openzeppelin-contracts/releases/tag/v4.9.3

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.