CVE-2023-26488

OpenZeppelin Contracts is a library for secure smart contract development. The ERC721Consecutive contract designed for minting NFTs in batches does not update balances when a batch has size 1 and consists of a single token. Subsequent transfers from the receiver of that token may overflow the balance as reported by `balanceOf`. The issue exclusively presents with batches of size 1. The issue has been patched in 4.8.2.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:openzeppelin:contracts:*:*:*:*:*:node.js:*:*
cpe:2.3:a:openzeppelin:contracts_upgradeable:*:*:*:*:*:node.js:*:*

History

10 Mar 2023, 14:54

Type Values Removed Values Added
CPE cpe:2.3:a:openzeppelin:contracts_upgradeable:*:*:*:*:*:node.js:*:*
cpe:2.3:a:openzeppelin:contracts:*:*:*:*:*:node.js:*:*
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 6.5
References (MISC) https://github.com/OpenZeppelin/openzeppelin-contracts/commit/167bf67ed3907f4a674043496019fa346cee7705 - (MISC) https://github.com/OpenZeppelin/openzeppelin-contracts/commit/167bf67ed3907f4a674043496019fa346cee7705 - Patch
References (MISC) https://github.com/OpenZeppelin/openzeppelin-contracts/releases/tag/v4.8.2 - (MISC) https://github.com/OpenZeppelin/openzeppelin-contracts/releases/tag/v4.8.2 - Release Notes
References (MISC) https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-878m-3g6q-594q - (MISC) https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-878m-3g6q-594q - Third Party Advisory

03 Mar 2023, 22:15

Type Values Removed Values Added
New CVE

Information

Published : 2023-03-03 22:15

Updated : 2024-02-04 23:14


NVD link : CVE-2023-26488

Mitre link : CVE-2023-26488

CVE.ORG link : CVE-2023-26488


JSON object : View

Products Affected

openzeppelin

  • contracts
  • contracts_upgradeable
CWE
CWE-682

Incorrect Calculation