@openzeppelin/contracts-upgradeable@3.4.2 vulnerabilities

@openzeppelin/contracts-upgradeable is a Secure Smart Contract library for Solidity.

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature via ECDSA.recover and ECDSA.tryRecover due to accepting EIP-2098 compact signatures in addition to the traditional 65 byte signature format.

Upgrade @openzeppelin/contracts-upgradeable to version 4.7.3 or higher.

@openzeppelin/contracts-upgradeable is a Secure Smart Contract library for Solidity.

Affected versions of this package are vulnerable to Denial of Service (DoS) in the supportsERC165InterfaceUnchecked() function in ERC165Checker.sol and ERC165CheckerUpgradeable.sol, which can consume excessive resources when processing a large amount of data via an EIP-165 supportsInterface query.

Upgrade @openzeppelin/contracts-upgradeable to version 4.7.2 or higher.

@openzeppelin/contracts-upgradeable is a Secure Smart Contract library for Solidity.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. It is possible for initializer() protected functions to be executed twice, if this happens in the same transaction. For this to happen, either one call has to be a subcall to the other, or both calls have to be subcalls of a common initializer() protected function. This can be particularly dangerous if the initialization is not part of the proxy construction, and reentrancy is possible by executing an external call to an untrusted address.

Upgrade @openzeppelin/contracts-upgradeable to version 4.4.1 or higher.