Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS02OTlnLXE2cWgtcTR2OM4AA3q7

OpenZeppelin Contracts and Contracts Upgradeable duplicated execution of subcalls in v4.9.4

Context

Merge conflict resolution issue when porting the v5.0.1 Multicall update to the v4.9 branch caused a duplicated line.

Impact

Versions using Multicall from @openzeppelin/[email protected] and @openzeppelin/[email protected] will execute each subcall twice. Concretely, this exposes a user to unintentionally duplicate operations like asset transfers.

Patches

The duplicated delegatecall was removed in 4.9.5. The 4.9.4 version is marked as deprecated.

Permalink: https://github.com/advisories/GHSA-699g-q6qh-q4v8
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02OTlnLXE2cWgtcTR2OM4AA3q7
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 5 months ago
Updated: 5 months ago

CVSS Score: 5.9
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Identifiers: GHSA-699g-q6qh-q4v8, CVE-2023-49798
References:

• https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-699g-q6qh-q4v8
• https://nvd.nist.gov/vuln/detail/CVE-2023-49798
• https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/commit/31f9fb9d171f60b2271b2b9c6f62d43302bf9489
• https://github.com/OpenZeppelin/openzeppelin-contracts/commit/88ac712e06832bce73b41e8166cded2729e25205
• https://github.com/advisories/GHSA-699g-q6qh-q4v8

Repository: https://github.com/OpenZeppelin/openzeppelin-contracts
Blast Radius: 26.8

Affected Packages