OpenZepplin is a library for smart contract development. In affected versions a vulnerability in TimelockController allowed an actor with the executor role to escalate privileges. Further details about the vulnerability will be disclosed at a later date. As a workaround revoke the executor role from accounts not strictly under the team's control. We recommend revoking all executors that are not also proposers. When applying this mitigation, ensure there is at least one proposer and executor remaining.
References
Link | Resource |
---|---|
https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/security/advisories/GHSA-vrw4-w73r-6mm8 | Third Party Advisory |
https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/CHANGELOG.md#431 | Patch Release Notes Third Party Advisory |
https://github.com/OpenZeppelin/openzeppelin-contracts/commit/cec4f2ef57495d8b1742d62846da212515d99dd5 | Patch Third Party Advisory |
https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/security/advisories/GHSA-vrw4-w73r-6mm8 | Third Party Advisory |
https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/CHANGELOG.md#431 | Patch Release Notes Third Party Advisory |
https://github.com/OpenZeppelin/openzeppelin-contracts/commit/cec4f2ef57495d8b1742d62846da212515d99dd5 | Patch Third Party Advisory |
Configurations
Configuration 1 (hide)
|
History
21 Nov 2024, 06:18
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : 7.5
v3 : 10.0 |
References | () https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/security/advisories/GHSA-vrw4-w73r-6mm8 - Third Party Advisory | |
References | () https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/CHANGELOG.md#431 - Patch, Release Notes, Third Party Advisory | |
References | () https://github.com/OpenZeppelin/openzeppelin-contracts/commit/cec4f2ef57495d8b1742d62846da212515d99dd5 - Patch, Third Party Advisory |
01 Sep 2021, 17:11
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:openzeppelin:contracts:*:*:*:*:*:node.js:*:* | |
CVSS |
v2 : v3 : |
v2 : 7.5
v3 : 9.8 |
References | (CONFIRM) https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/security/advisories/GHSA-vrw4-w73r-6mm8 - Third Party Advisory | |
References | (MISC) https://github.com/OpenZeppelin/openzeppelin-contracts/commit/cec4f2ef57495d8b1742d62846da212515d99dd5 - Patch, Third Party Advisory | |
References | (MISC) https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/CHANGELOG.md#431 - Patch, Release Notes, Third Party Advisory |
27 Aug 2021, 00:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2021-08-27 00:15
Updated : 2024-11-21 06:18
NVD link : CVE-2021-39168
Mitre link : CVE-2021-39168
CVE.ORG link : CVE-2021-39168
JSON object : View
Products Affected
openzeppelin
- contracts
CWE
CWE-269
Improper Privilege Management