CVE-2022-39384

OpenZeppelin Contracts is a library for secure smart contract development. Before version 4.4.1 but after 3.2.0, initializer functions that are invoked separate from contract creation (the most prominent example being minimal proxies) may be reentered if they make an untrusted non-view external call. Once an initializer has finished running it can never be re-executed. However, an exception put in place to support multiple inheritance made reentrancy possible in the scenario described above, breaking the expectation that there is a single execution. Note that upgradeable proxies are commonly initialized together with contract creation, where reentrancy is not feasible, so the impact of this issue is believed to be minor. This issue has been patched, please upgrade to version 4.4.1. As a workaround, avoid untrusted external calls during initialization.

CVSS v3 5.6 MEDIUM

5.6^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/OpenZeppelin/openzeppelin-contracts/pull/3006	Patch Third Party Advisory
https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-9c22-pwxw-p6hx	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:openzeppelin:contracts::::::node.js::*
	cpe:2.3:a:openzeppelin:contracts_upgradeable::::::node.js::*

History

07 Nov 2022, 17:07

Type	Values Removed	Values Added
CWE		CWE-665
References	~~(CONFIRM) https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-9c22-pwxw-p6hx -~~	(CONFIRM) https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-9c22-pwxw-p6hx - Third Party Advisory
References	~~(MISC) https://github.com/OpenZeppelin/openzeppelin-contracts/pull/3006 -~~	(MISC) https://github.com/OpenZeppelin/openzeppelin-contracts/pull/3006 - Patch, Third Party Advisory
CPE		cpe:2.3:a:openzeppelin:contracts-upgradeable::::::node.js::* cpe:2.3:a:openzeppelin:contracts::::::node.js::*
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.6

04 Nov 2022, 22:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-11-04 22:15

Updated : 2024-02-04 22:51

NVD link : CVE-2022-39384

Mitre link : CVE-2022-39384

CVE.ORG link : CVE-2022-39384

JSON object : View

Products Affected

openzeppelin

contracts_upgradeable
contracts

CWE

CWE-665

Improper Initialization

5.6 /10