Information Exposure Affecting @openzeppelin/contracts-upgradeable package, versions >=4.0.0 <4.7.1
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-OPENZEPPELINCONTRACTSUPGRADEABLE-2958046
- published 22 Jul 2022
- disclosed 21 Jul 2022
- credit Unknown
Introduced: 21 Jul 2022
CVE-2022-31170 Open this link in a new tabHow to fix?
Upgrade @openzeppelin/contracts-upgradeable to version 4.7.1 or higher.
Overview
@openzeppelin/contracts-upgradeable is a Secure Smart Contract library for Solidity.
Affected versions of this package are vulnerable to Information Exposure. ERC165Checker.supportsInterface is designed to always successfully return a boolean, and under no circumstance revert. However, an incorrect assumption about Solidity 0.8's abi.decode allows some cases to revert, given a target contract that doesn't implement EIP-165 as expected, specifically if it returns a value other than 0 or 1.
The contracts that may be affected are those that use ERC165Checker to check for support for an interface and then handle the lack of support in a way other than reverting.