Information Exposure Affecting @openzeppelin/contracts-upgradeable package, versions >=4.0.0 <4.7.1


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.06% (29th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JS-OPENZEPPELINCONTRACTSUPGRADEABLE-2958046
  • published22 Jul 2022
  • disclosed21 Jul 2022
  • creditUnknown

Introduced: 21 Jul 2022

CVE-2022-31170  (opens in a new tab)
CWE-200  (opens in a new tab)

How to fix?

Upgrade @openzeppelin/contracts-upgradeable to version 4.7.1 or higher.

Overview

@openzeppelin/contracts-upgradeable is a Secure Smart Contract library for Solidity.

Affected versions of this package are vulnerable to Information Exposure. ERC165Checker.supportsInterface is designed to always successfully return a boolean, and under no circumstance revert. However, an incorrect assumption about Solidity 0.8's abi.decode allows some cases to revert, given a target contract that doesn't implement EIP-165 as expected, specifically if it returns a value other than 0 or 1.

The contracts that may be affected are those that use ERC165Checker to check for support for an interface and then handle the lack of support in a way other than reverting.

References

CVSS Scores

version 3.1