Main Vulnerability Database Vulnerabilities #VU66781

#VU66781 undefined in OpenZeppelin Contracts - CVE-2022-35916

Published: August 26, 2022

Vulnerability identifier: #VU66781

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2022-35916

CWE-ID: CWE-669

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
OpenZeppelin Contracts

Software vendor:
OpenZeppelin

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to contracts using the cross chain utilies for Arbitrum L2, "CrossChainEnabledArbitrumL2" or "LibArbitrumL2", will classify direct interactions of externally owned accounts (EOAs) as cross chain calls, even though they are not started on L1. A remote attacker can perform arbitrary action on the system.

Remediation

Install updates from vendor's website.

External links

https://github.com/OpenZeppelin/openzeppelin-contracts/pull/3578
https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-9j3m-g383-29qr