10
CVE-2021-39168
- EPSS 1.59%
- Veröffentlicht 27.08.2021 00:15:07
- Zuletzt bearbeitet 21.11.2024 06:18:46
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginTimelockController vulnerability in OpenZeppelin Contracts
OpenZepplin is a library for smart contract development. In affected versions a vulnerability in TimelockController allowed an actor with the executor role to escalate privileges. Further details about the vulnerability will be disclosed at a later date. As a workaround revoke the executor role from accounts not strictly under the team's control. We recommend revoking all executors that are not also proposers. When applying this mitigation, ensure there is at least one proposer and executor remaining.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Openzeppelin ≫ Contracts SwPlatformnode.js Version >= 3.3.0 < 3.4.2
Openzeppelin ≫ Contracts SwPlatformnode.js Version >= 4.0.0 < 4.3.1
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.59% | 0.725 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 7.5 | 10 | 6.4 |
AV:N/AC:L/Au:N/C:P/I:P/A:P
|
| security-advisories@github.com | 10 | 3.9 | 6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
|
CWE-269 Improper Privilege Management
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/CHANGELOG.md#431
https://github.com/OpenZeppelin/openzeppelin-contracts/commit/cec4f2ef57495d8b1742d62846da212515d99dd5
https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/security/advisories/GHSA-vrw4-w73r-6mm8