CVE-2022-35916 — Incorrect Resource Transfer Between Spheres in Contracts

CWE-669 — Incorrect Resource Transfer Between Spheres3 documents3 sources

Severity

5.3MEDIUMNVD

EPSS

0.2%

top 52.30%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openzeppelin Contracts Openzeppelin Contracts Upgradeable Openzeppelin Contracts-upgradeable +1 more

Timeline

PublishedAug 1

Latest updateAug 14

Description

OpenZeppelin Contracts is a library for secure smart contract development. Contracts using the cross chain utilities for Arbitrum L2, `CrossChainEnabledArbitrumL2` or `LibArbitrumL2`, will classify direct interactions of externally owned accounts (EOAs) as cross chain calls, even though they are not started on L1. This issue has been patched in v4.7.2. Users are advised to upgrade. There are no known workarounds for this issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages5 packages

▶NVDopenzeppelin/contracts_upgradeable4.6.0 — 4.7.2

▶npmopenzeppelin/contracts-upgradeable4.6.0 — 4.7.2

▶NVDopenzeppelin/contracts4.6.0 — 4.7.2

▶npmopenzeppelin/contracts4.6.0 — 4.7.2

▶CVEListV5openzeppelin/openzeppelin-contracts>= 4.6.0, < 4.7.2

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

OpenZeppelin Contracts's Cross chain utilities for Arbitrum L2 see EOA calls as cross chain calls↗2022-08-14

▶

OSV

OpenZeppelin Contracts's Cross chain utilities for Arbitrum L2 see EOA calls as cross chain calls↗2022-08-14

▶