CVE-2022-31172 — Improper Input Validation in Contracts

CWE-20 — Improper Input Validation CWE-347 — Improper Verification of Cryptographic Signature3 documents3 sources

Severity

7.5HIGHNVD

EPSS

0.1%

top 70.12%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openzeppelin Contracts Openzeppelin Contracts-upgradeable Openzeppelin Openzeppelin-contracts

Timeline

Latest updateJul 21

PublishedJul 22

Description

OpenZeppelin Contracts is a library for smart contract development. Versions 4.1.0 until 4.7.1 are vulnerable to the SignatureChecker reverting. `SignatureChecker.isValidSignatureNow` is not expected to revert. However, an incorrect assumption about Solidity 0.8's `abi.decode` allows some cases to revert, given a target contract that doesn't implement EIP-1271 as expected. The contracts that may be affected are those that use `SignatureChecker` to check the validity of a signature and handle inv…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶NVDopenzeppelin/contracts4.1.0 — 4.7.1

▶npmopenzeppelin/contracts4.1.0 — 4.7.1

▶npmopenzeppelin/contracts-upgradeable4.1.0 — 4.7.1

▶CVEListV5openzeppelin/openzeppelin-contracts>= 4.1.0, < 4.7.1

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

OpenZeppelin Contracts's SignatureChecker may revert on invalid EIP-1271 signers↗2022-07-21

▶

OSV

OpenZeppelin Contracts's SignatureChecker may revert on invalid EIP-1271 signers↗2022-07-21

▶