Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS04NzhtLTNnNnEtNTk0cc4AAx7E
OpenZeppelin Contracts contains Incorrect Calculation
Impact
The ERC721Consecutive contract designed for minting NFTs in batches does not update balances when a batch has size 1 and consists of a single token. Subsequent transfers from the receiver of that token may overflow the balance as reported by balanceOf.
The issue exclusively presents with batches of size 1.
Patches
The issue has been patched in 4.8.2.
Permalink: https://github.com/advisories/GHSA-878m-3g6q-594qJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04NzhtLTNnNnEtNTk0cc4AAx7E
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 1 year ago
Updated: about 1 year ago
CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Identifiers: GHSA-878m-3g6q-594q, CVE-2023-26488
References:
- https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-878m-3g6q-594q
- https://github.com/OpenZeppelin/openzeppelin-contracts/commit/167bf67ed3907f4a674043496019fa346cee7705
- https://github.com/OpenZeppelin/openzeppelin-contracts/releases/tag/v4.8.2
- https://nvd.nist.gov/vuln/detail/CVE-2023-26488
- https://github.com/advisories/GHSA-878m-3g6q-594q
Blast Radius: 29.5
Affected Packages
npm:@openzeppelin/contracts-upgradeable
Dependent packages: 853Dependent repositories: 4,919
Downloads: 585,606 last month
Affected Version Ranges: >= 4.8.0, < 4.8.2
Fixed in: 4.8.2
All affected versions: 4.8.0, 4.8.1
All unaffected versions: 3.2.0, 3.3.0, 3.4.0, 3.4.1, 3.4.2, 4.0.0, 4.1.0, 4.2.0, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.4.0, 4.4.1, 4.4.2, 4.5.0, 4.5.1, 4.5.2, 4.6.0, 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.8.2, 4.8.3, 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4, 4.9.5, 4.9.6, 5.0.0, 5.0.1, 5.0.2
npm:@openzeppelin/contracts
Dependent packages: 3,207Dependent repositories: 34,743
Downloads: 1,490,141 last month
Affected Version Ranges: >= 4.8.0, < 4.8.2
Fixed in: 4.8.2
All affected versions: 4.8.0, 4.8.1
All unaffected versions: 2.3.0, 2.4.0, 2.5.0, 2.5.1, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.2.0, 3.3.0, 3.4.0, 3.4.1, 3.4.2, 4.0.0, 4.1.0, 4.2.0, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.4.0, 4.4.1, 4.4.2, 4.5.0, 4.6.0, 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.8.2, 4.8.3, 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4, 4.9.5, 4.9.6, 5.0.0, 5.0.1, 5.0.2