OpenZeppelin Contracts is a library for smart contract development. In affected versions upgradeable contracts using `UUPSUpgradeable` may be vulnerable to an attack affecting uninitialized implementation contracts. A fix is included in version 4.3.2 of `@openzeppelin/contracts` and `@openzeppelin/contracts-upgradeable`. For users unable to upgrade; initialize implementation contracts using `UUPSUpgradeable` by invoking the initializer function (usually called `initialize`). An example is provided [in the forum](https://forum.openzeppelin.com/t/security-advisory-initialize-uups-implementation-contracts/15301).
References
Link | Resource |
---|---|
https://forum.openzeppelin.com/t/security-advisory-initialize-uups-implementation-contracts/15301 | Issue Tracking Mitigation Patch Vendor Advisory |
https://github.com/OpenZeppelin/openzeppelin-contracts/commit/024cc50df478d2e8f78539819749e94d6df60592 | Patch Third Party Advisory |
https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-5vp3-v4hc-gx76 | Third Party Advisory |
https://forum.openzeppelin.com/t/security-advisory-initialize-uups-implementation-contracts/15301 | Issue Tracking Mitigation Patch Vendor Advisory |
https://github.com/OpenZeppelin/openzeppelin-contracts/commit/024cc50df478d2e8f78539819749e94d6df60592 | Patch Third Party Advisory |
https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-5vp3-v4hc-gx76 | Third Party Advisory |
Configurations
History
21 Nov 2024, 06:25
Type | Values Removed | Values Added |
---|---|---|
References | () https://forum.openzeppelin.com/t/security-advisory-initialize-uups-implementation-contracts/15301 - Issue Tracking, Mitigation, Patch, Vendor Advisory | |
References | () https://github.com/OpenZeppelin/openzeppelin-contracts/commit/024cc50df478d2e8f78539819749e94d6df60592 - Patch, Third Party Advisory | |
References | () https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-5vp3-v4hc-gx76 - Third Party Advisory |
15 Nov 2021, 15:01
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:openzeppelin:contracts:*:*:*:*:*:node.js:*:* | |
CVSS |
v2 : v3 : |
v2 : 7.5
v3 : 9.8 |
References | (MISC) https://github.com/OpenZeppelin/openzeppelin-contracts/commit/024cc50df478d2e8f78539819749e94d6df60592 - Patch, Third Party Advisory | |
References | (CONFIRM) https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-5vp3-v4hc-gx76 - Third Party Advisory | |
References | (MISC) https://forum.openzeppelin.com/t/security-advisory-initialize-uups-implementation-contracts/15301 - Issue Tracking, Mitigation, Patch, Vendor Advisory |
12 Nov 2021, 22:10
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2021-11-12 18:15
Updated : 2024-11-21 06:25
NVD link : CVE-2021-41264
Mitre link : CVE-2021-41264
CVE.ORG link : CVE-2021-41264
JSON object : View
Products Affected
openzeppelin
- contracts
CWE
CWE-665
Improper Initialization