CVE-2021-39168Improper Privilege Management in Contracts

CWE-269Improper Privilege Management4 documents4 sources
Severity
9.8CRITICALNVD
EPSS
0.4%
top 36.66%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Openzeppelin ContractsOpenzeppelin Contracts-upgradeableOpenzeppelin Openzeppelin-contracts-upgradeable
Timeline
PublishedAug 27
Latest updateNov 14

Description

OpenZepplin is a library for smart contract development. In affected versions a vulnerability in TimelockController allowed an actor with the executor role to escalate privileges. Further details about the vulnerability will be disclosed at a later date. As a workaround revoke the executor role from accounts not strictly under the team's control. We recommend revoking all executors that are not also proposers. When applying this mitigation, ensure there is at least one proposer and executor rema

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

NVDopenzeppelin/contracts3.3.03.4.2+1
npmopenzeppelin/contracts-upgradeable4.0.04.3.1+1
CVEListV5openzeppelin/openzeppelin-contracts-upgradeable>= 3.3.0-solc-0.7, < 3.4.2-solc-0.7, >=3.3.0, < 3.4.2, >=4.0.0, < 4.3.1+2

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

2
OSV
TimelockController vulnerability in OpenZeppelin Contracts2021-08-30
GHSA
TimelockController vulnerability in OpenZeppelin Contracts2021-08-30

📄Research Papers

1
arXiv
SmartInv: Multimodal Learning for Smart Contract Invariant Inference2024-11-14