SB2022082612 - Multiple vulnerabilities in OpenZeppelin Contracts
Published: August 26, 2022
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) undefined (CVE-ID: CVE-2022-35916)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to contracts using the cross chain utilies for Arbitrum L2, "CrossChainEnabledArbitrumL2" or "LibArbitrumL2", will classify direct interactions of externally owned accounts (EOAs) as cross chain calls, even though they are not started on L1. A remote attacker can perform arbitrary action on the system.
2) Resource exhaustion (CVE-ID: CVE-2022-35915)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources in an EIP-165 "supportsInterface" query. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
3) Incorrect calculation (CVE-ID: CVE-2022-31198)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to an incorrect calculation in the "GovernorVotesQuorumFraction" module. A remote attacker can perform arbitrary action in the target system.
Remediation
Install update from vendor's website.
References
- https://github.com/OpenZeppelin/openzeppelin-contracts/pull/3578
- https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-9j3m-g383-29qr
- https://github.com/OpenZeppelin/openzeppelin-contracts/pull/3587
- https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-7grf-83vw-6f5x
- https://github.com/OpenZeppelin/openzeppelin-contracts/pull/3561
- https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-xrc4-737v-9q75