CVE-2022-31170 — Improper Input Validation in Contracts

CWE-20 — Improper Input Validation CWE-252 — Unchecked Return Value3 documents3 sources

Severity

7.5HIGHNVD

EPSS

0.3%

top 45.83%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openzeppelin Contracts Openzeppelin Contracts-upgradeable Openzeppelin Openzeppelin-contracts

Timeline

Latest updateJul 21

PublishedJul 22

Description

OpenZeppelin Contracts is a library for smart contract development. Versions 4.0.0 until 4.7.1 are vulnerable to ERC165Checker reverting instead of returning `false`. `ERC165Checker.supportsInterface` is designed to always successfully return a boolean, and under no circumstance revert. However, an incorrect assumption about Solidity 0.8's `abi.decode` allows some cases to revert, given a target contract that doesn't implement EIP-165 as expected, specifically if it returns a value other than 0 …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶NVDopenzeppelin/contracts4.0.0 — 4.7.1

▶npmopenzeppelin/contracts4.0.0 — 4.7.1

▶npmopenzeppelin/contracts-upgradeable4.0.0 — 4.7.1

▶CVEListV5openzeppelin/openzeppelin-contracts>= 4.0.0, < 4.7.1

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

OpenZeppelin Contracts's ERC165Checker may revert instead of returning false↗2022-07-21

▶

OSV

OpenZeppelin Contracts's ERC165Checker may revert instead of returning false↗2022-07-21

▶