CVE-2022-31153

Exploit

EPSS 1.12%
Veröffentlicht 15.07.2022 18:15:08
Zuletzt bearbeitet 21.11.2024 07:04:00
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

OpenZeppelin Contracts for Cairo account cannot process transactions on Goerli

OpenZeppelin Contracts for Cairo is a library for contract development written in Cairo for StarkNet, a decentralized ZK Rollup. Version 0.2.0 is vulnerable to an error that renders account contracts unusable on live networks. This issue affects all accounts (vanilla and ethereum flavors) in the v0.2.0 release of OpenZeppelin Contracts for Cairo, which are not whitelisted on StarkNet mainnet. Only goerli deployments of v0.2.0 accounts are affected. This faulty behavior is not observed in StarkNet's testing framework. This bug has been patched in v0.2.1.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 9

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Openzeppelin ≫ Contracts Version0.2.0 SwPlatformcairo

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.12%	0.618

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
security-advisories@github.com	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE-664 Improper Control of a Resource Through its Lifetime

The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://github.com/OpenZeppelin/cairo-contracts/blob/release-0.2.0/src/openzeppelin/account/library.cairo#L203

Third Party Advisory

Exploit

https://github.com/OpenZeppelin/cairo-contracts/commit/2cd60279c3332285d47edf9ee3888b71257acdc9

Patch

Third Party Advisory

https://github.com/OpenZeppelin/cairo-contracts/issues/386

Third Party Advisory

Exploit

Issue Tracking

https://github.com/OpenZeppelin/cairo-contracts/pull/387

Patch

Third Party Advisory

https://github.com/OpenZeppelin/cairo-contracts/releases/tag/v0.2.1

Third Party Advisory

Release Notes

https://github.com/OpenZeppelin/cairo-contracts/security/advisories/GHSA-8mjr-jr5h-q2xr

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-31153

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-31153

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-31153

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2022-31153