#VU66781 undefined in OpenZeppelin Contracts - CVE-2022-35916

Cybersecurity Help s.r.o.

Published: 2022-08-26

Vulnerability identifier: #VU66781

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2022-35916

CWE-ID: CWE-669

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
OpenZeppelin Contracts
Universal components / Libraries / Libraries used by multiple products

Vendor: OpenZeppelin

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to contracts using the cross chain utilies for Arbitrum L2, "CrossChainEnabledArbitrumL2" or "LibArbitrumL2", will classify direct interactions of externally owned accounts (EOAs) as cross chain calls, even though they are not started on L1. A remote attacker can perform arbitrary action on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

OpenZeppelin Contracts: 4.6.0 - 4.7.1

External links
https://github.com/OpenZeppelin/openzeppelin-contracts/pull/3578
https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-9j3m-g383-29qr

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in OpenZeppelin Contracts