CVE-2023-30542

OpenZeppelin Contracts is a library for secure smart contract development. The proposal creation entrypoint (`propose`) in `GovernorCompatibilityBravo` allows the creation of proposals with a `signatures` array shorter than the `calldatas` array. This causes the additional elements of the latter to be ignored, and if the proposal succeeds the corresponding actions would eventually execute without any calldata. The `ProposalCreated` event correctly represents what will eventually execute, but the proposal parameters as queried through `getActions` appear to respect the original intended calldata. This issue has been patched in 4.8.3. As a workaround, ensure that all proposals that pass through governance have equal length `signatures` and `calldatas` parameters.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:openzeppelin:contracts:*:*:*:*:*:node.js:*:*
cpe:2.3:a:openzeppelin:contracts_upgradeable:*:*:*:*:*:node.js:*:*

History

27 Apr 2023, 13:23

Type Values Removed Values Added
References (MISC) https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-93hq-5wgc-jc82 - (MISC) https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-93hq-5wgc-jc82 - Vendor Advisory
References (MISC) https://github.com/OpenZeppelin/openzeppelin-contracts/releases/tag/v4.8.3 - (MISC) https://github.com/OpenZeppelin/openzeppelin-contracts/releases/tag/v4.8.3 - Release Notes
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 8.8
CPE cpe:2.3:a:openzeppelin:contracts:*:*:*:*:*:node.js:*:*
cpe:2.3:a:openzeppelin:contracts_upgradeable:*:*:*:*:*:node.js:*:*
CWE CWE-20 NVD-CWE-noinfo

17 Apr 2023, 13:12

Type Values Removed Values Added
New CVE

Information

Published : 2023-04-16 08:15

Updated : 2024-02-04 23:37


NVD link : CVE-2023-30542

Mitre link : CVE-2023-30542

CVE.ORG link : CVE-2023-30542


JSON object : View

Products Affected

openzeppelin

  • contracts
  • contracts_upgradeable
CWE
NVD-CWE-noinfo CWE-20

Improper Input Validation