CVE-2022-31153

OpenZeppelin Contracts for Cairo is a library for contract development written in Cairo for StarkNet, a decentralized ZK Rollup. Version 0.2.0 is vulnerable to an error that renders account contracts unusable on live networks. This issue affects all accounts (vanilla and ethereum flavors) in the v0.2.0 release of OpenZeppelin Contracts for Cairo, which are not whitelisted on StarkNet mainnet. Only goerli deployments of v0.2.0 accounts are affected. This faulty behavior is not observed in StarkNet's testing framework. This bug has been patched in v0.2.1.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/OpenZeppelin/cairo-contracts/blob/release-0.2.0/src/openzeppelin/account/library.cairo#L203	Exploit Third Party Advisory
https://github.com/OpenZeppelin/cairo-contracts/commit/2cd60279c3332285d47edf9ee3888b71257acdc9	Patch Third Party Advisory
https://github.com/OpenZeppelin/cairo-contracts/issues/386	Exploit Issue Tracking Third Party Advisory
https://github.com/OpenZeppelin/cairo-contracts/pull/387	Patch Third Party Advisory
https://github.com/OpenZeppelin/cairo-contracts/releases/tag/v0.2.1	Release Notes Third Party Advisory
https://github.com/OpenZeppelin/cairo-contracts/security/advisories/GHSA-8mjr-jr5h-q2xr	Third Party Advisory
https://github.com/OpenZeppelin/cairo-contracts/blob/release-0.2.0/src/openzeppelin/account/library.cairo#L203	Exploit Third Party Advisory
https://github.com/OpenZeppelin/cairo-contracts/commit/2cd60279c3332285d47edf9ee3888b71257acdc9	Patch Third Party Advisory
https://github.com/OpenZeppelin/cairo-contracts/issues/386	Exploit Issue Tracking Third Party Advisory
https://github.com/OpenZeppelin/cairo-contracts/pull/387	Patch Third Party Advisory
https://github.com/OpenZeppelin/cairo-contracts/releases/tag/v0.2.1	Release Notes Third Party Advisory
https://github.com/OpenZeppelin/cairo-contracts/security/advisories/GHSA-8mjr-jr5h-q2xr	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:openzeppelin:contracts:0.2.0:*:*:*:*:cairo:*:*

History

21 Nov 2024, 07:04

Type	Values Removed	Values Added
References	~~() https://github.com/OpenZeppelin/cairo-contracts/blob/release-0.2.0/src/openzeppelin/account/library.cairo#L203 - Exploit, Third Party Advisory~~	() https://github.com/OpenZeppelin/cairo-contracts/blob/release-0.2.0/src/openzeppelin/account/library.cairo#L203 - Exploit, Third Party Advisory
References	~~() https://github.com/OpenZeppelin/cairo-contracts/commit/2cd60279c3332285d47edf9ee3888b71257acdc9 - Patch, Third Party Advisory~~	() https://github.com/OpenZeppelin/cairo-contracts/commit/2cd60279c3332285d47edf9ee3888b71257acdc9 - Patch, Third Party Advisory
References	~~() https://github.com/OpenZeppelin/cairo-contracts/issues/386 - Exploit, Issue Tracking, Third Party Advisory~~	() https://github.com/OpenZeppelin/cairo-contracts/issues/386 - Exploit, Issue Tracking, Third Party Advisory
References	~~() https://github.com/OpenZeppelin/cairo-contracts/pull/387 - Patch, Third Party Advisory~~	() https://github.com/OpenZeppelin/cairo-contracts/pull/387 - Patch, Third Party Advisory
References	~~() https://github.com/OpenZeppelin/cairo-contracts/releases/tag/v0.2.1 - Release Notes, Third Party Advisory~~	() https://github.com/OpenZeppelin/cairo-contracts/releases/tag/v0.2.1 - Release Notes, Third Party Advisory
References	~~() https://github.com/OpenZeppelin/cairo-contracts/security/advisories/GHSA-8mjr-jr5h-q2xr - Third Party Advisory~~	() https://github.com/OpenZeppelin/cairo-contracts/security/advisories/GHSA-8mjr-jr5h-q2xr - Third Party Advisory

22 Jul 2022, 16:38

Type	Values Removed	Values Added
References	~~(MISC) https://github.com/OpenZeppelin/cairo-contracts/pull/387 -~~	(MISC) https://github.com/OpenZeppelin/cairo-contracts/pull/387 - Patch, Third Party Advisory
References	~~(CONFIRM) https://github.com/OpenZeppelin/cairo-contracts/security/advisories/GHSA-8mjr-jr5h-q2xr -~~	(CONFIRM) https://github.com/OpenZeppelin/cairo-contracts/security/advisories/GHSA-8mjr-jr5h-q2xr - Third Party Advisory
References	~~(MISC) https://github.com/OpenZeppelin/cairo-contracts/commit/2cd60279c3332285d47edf9ee3888b71257acdc9 -~~	(MISC) https://github.com/OpenZeppelin/cairo-contracts/commit/2cd60279c3332285d47edf9ee3888b71257acdc9 - Patch, Third Party Advisory
References	~~(MISC) https://github.com/OpenZeppelin/cairo-contracts/issues/386 -~~	(MISC) https://github.com/OpenZeppelin/cairo-contracts/issues/386 - Exploit, Issue Tracking, Third Party Advisory
References	~~(MISC) https://github.com/OpenZeppelin/cairo-contracts/blob/release-0.2.0/src/openzeppelin/account/library.cairo#L203 -~~	(MISC) https://github.com/OpenZeppelin/cairo-contracts/blob/release-0.2.0/src/openzeppelin/account/library.cairo#L203 - Exploit, Third Party Advisory
References	~~(MISC) https://github.com/OpenZeppelin/cairo-contracts/releases/tag/v0.2.1 -~~	(MISC) https://github.com/OpenZeppelin/cairo-contracts/releases/tag/v0.2.1 - Release Notes, Third Party Advisory
CPE		cpe:2.3:a:openzeppelin:contracts:0.2.0:::::cairo::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.5
CWE	~~CWE-664~~	CWE-863

15 Jul 2022, 18:57

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-07-15 18:15

Updated : 2024-11-21 07:04

NVD link : CVE-2022-31153

Mitre link : CVE-2022-31153

CVE.ORG link : CVE-2022-31153

JSON object : View

Products Affected

openzeppelin

contracts

CWE

CWE-664

Improper Control of a Resource Through its Lifetime

CWE-863

Incorrect Authorization

6.5 /10