Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS05M2hxLTV3Z2MtamM4Ms4AAy45
GovernorCompatibilityBravo may trim proposal calldata
Impact
The proposal creation entrypoint (propose
) in GovernorCompatibilityBravo
allows the creation of proposals with a signatures
array shorter than the calldatas
array. This causes the additional elements of the latter to be ignored, and if the proposal succeeds the corresponding actions would eventually execute without any calldata. The ProposalCreated
event correctly represents what will eventually execute, but the proposal parameters as queried through getActions
appear to respect the original intended calldata.
Patches
This issue has been patched in v4.8.3.
Workarounds
Ensure that all proposals that pass through governance have equal length signatures
and calldatas
parameters.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05M2hxLTV3Z2MtamM4Ms4AAy45
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 1 year ago
Updated: almost 1 year ago
CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-93hq-5wgc-jc82, CVE-2023-30542
References:
- https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-93hq-5wgc-jc82
- https://nvd.nist.gov/vuln/detail/CVE-2023-30542
- https://github.com/OpenZeppelin/openzeppelin-contracts/commit/8d633cb7d169f2f8595b273660b00b69e845c2fe
- https://github.com/OpenZeppelin/openzeppelin-contracts/releases/tag/v4.8.3
- https://github.com/advisories/GHSA-93hq-5wgc-jc82
Blast Radius: 40.0
Affected Packages
npm:@openzeppelin/contracts-upgradeable
Dependent packages: 853Dependent repositories: 4,919
Downloads: 585,606 last month
Affected Version Ranges: >= 4.3.0, < 4.8.3
Fixed in: 4.8.3
All affected versions: 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.4.0, 4.4.1, 4.4.2, 4.5.0, 4.5.1, 4.5.2, 4.6.0, 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.8.0, 4.8.1, 4.8.2
All unaffected versions: 3.2.0, 3.3.0, 3.4.0, 3.4.1, 3.4.2, 4.0.0, 4.1.0, 4.2.0, 4.8.3, 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4, 4.9.5, 4.9.6, 5.0.0, 5.0.1, 5.0.2
npm:@openzeppelin/contracts
Dependent packages: 3,207Dependent repositories: 34,743
Downloads: 1,490,141 last month
Affected Version Ranges: >= 4.3.0, < 4.8.3
Fixed in: 4.8.3
All affected versions: 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.4.0, 4.4.1, 4.4.2, 4.5.0, 4.6.0, 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.8.0, 4.8.1, 4.8.2
All unaffected versions: 2.3.0, 2.4.0, 2.5.0, 2.5.1, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.2.0, 3.3.0, 3.4.0, 3.4.1, 3.4.2, 4.0.0, 4.1.0, 4.2.0, 4.8.3, 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4, 4.9.5, 4.9.6, 5.0.0, 5.0.1, 5.0.2