7.4

CVE-2024-27094

OpenZeppelin Contracts base64 encoding may read from potentially dirty memory

OpenZeppelin Contracts is a library for secure smart contract development. The `Base64.encode` function encodes a `bytes` input by iterating over it in chunks of 3 bytes. When this input is not a multiple of 3, the last iteration may read parts of the memory that are beyond the input buffer. The vulnerability is fixed in 5.0.2 and 4.9.6.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
OpenzeppelinContracts SwPlatformnode.js Version >= 4.5.0 < 4.9.6
OpenzeppelinContracts SwPlatformnode.js Version >= 5.0.0 < 5.0.2
OpenzeppelinContracts Upgradeable SwPlatformnode.js Version >= 4.5.0 <= 4.9.6
OpenzeppelinContracts Upgradeable SwPlatformnode.js Version >= 5.0.0 < 5.0.2
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.76% 0.505
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.4 2.2 5.2
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H
security-advisories@github.com 6.5 2.2 4.2
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H
CWE-125 Out-of-bounds Read

The product reads data past the end, or before the beginning, of the intended buffer.

https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/commit/2d081f24cac1a867f6f73d512f2022e1fa987854
Patch
https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/commit/723f8cab09cdae1aca9ec9cc1cfa040c2d4b06c1
Patch
https://github.com/OpenZeppelin/openzeppelin-contracts/commit/92224533b1263772b0774eec3134e132a3d7b2a6
Patch
https://github.com/OpenZeppelin/openzeppelin-contracts/commit/a6286d0fded8771b3a645e5813e51993c490399c
Patch
https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-9vx6-7xxf-x967
Vendor Advisory