CVE-2022-39384 — Improper Initialization in Contracts

CWE-665 — Improper Initialization3 documents3 sources

Severity

5.6MEDIUMNVD

EPSS

0.6%

top 31.82%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openzeppelin Contracts Openzeppelin Contracts Upgradeable Openzeppelin Contracts-upgradeable +1 more

Timeline

Latest updateDec 14

PublishedNov 4

Description

OpenZeppelin Contracts is a library for secure smart contract development. Before version 4.4.1 but after 3.2.0, initializer functions that are invoked separate from contract creation (the most prominent example being minimal proxies) may be reentered if they make an untrusted non-view external call. Once an initializer has finished running it can never be re-executed. However, an exception put in place to support multiple inheritance made reentrancy possible in the scenario described above, bre…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:LExploitability: 2.2 | Impact: 3.4

Affected Packages5 packages

▶NVDopenzeppelin/contracts_upgradeable3.2.0 — 4.4.1

▶npmopenzeppelin/contracts-upgradeable3.2.0 — 4.4.1

▶NVDopenzeppelin/contracts3.2.0 — 4.4.1

▶npmopenzeppelin/contracts3.2.0 — 4.4.1

▶CVEListV5openzeppelin/openzeppelin-contracts>= 3.2.0, < 4.4.1

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

OpenZeppelin Contracts initializer reentrancy may lead to double initialization↗2021-12-14

▶

OSV

OpenZeppelin Contracts initializer reentrancy may lead to double initialization↗2021-12-14

▶