CVE-2023-49798

OpenZeppelin Contracts is a library for smart contract development. A merge issue when porting the 5.0.1 patch to the 4.9 branch caused a line duplication. In the version of `Multicall.sol` released in `@openzeppelin/contracts@4.9.4` and `@openzeppelin/contracts-upgradeable@4.9.4`, all subcalls are executed twice. Concretely, this exposes a user to unintentionally duplicate operations like asset transfers. The duplicated delegatecall was removed in version 4.9.5. The 4.9.4 version is marked as deprecated. Users are advised to upgrade. There are no known workarounds for this issue.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:openzeppelin:contracts:4.9.4:*:*:*:*:node.js:*:*
cpe:2.3:a:openzeppelin:contracts_upgradeable:4.9.4:*:*:*:*:node.js:*:*

History

13 Dec 2023, 17:15

Type Values Removed Values Added
References () https://github.com/OpenZeppelin/openzeppelin-contracts/commit/88ac712e06832bce73b41e8166cded2729e25205 - () https://github.com/OpenZeppelin/openzeppelin-contracts/commit/88ac712e06832bce73b41e8166cded2729e25205 - Patch
References () https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-699g-q6qh-q4v8 - () https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-699g-q6qh-q4v8 - Vendor Advisory
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.5
CPE cpe:2.3:a:openzeppelin:contracts:4.9.4:*:*:*:*:node.js:*:*
cpe:2.3:a:openzeppelin:contracts_upgradeable:4.9.4:*:*:*:*:node.js:*:*

09 Dec 2023, 00:15

Type Values Removed Values Added
New CVE

Information

Published : 2023-12-09 00:15

Updated : 2024-02-05 00:22


NVD link : CVE-2023-49798

Mitre link : CVE-2023-49798

CVE.ORG link : CVE-2023-49798


JSON object : View

Products Affected

openzeppelin

  • contracts
  • contracts_upgradeable
CWE
CWE-670

Always-Incorrect Control Flow Implementation