CVE-2023-30541 — Interpretation Conflict in Contracts

CWE-436 — Interpretation Conflict3 documents3 sources

Severity

5.3MEDIUMNVD

EPSS

0.6%

top 29.80%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openzeppelin Contracts Openzeppelin Contracts Upgradeable Openzeppelin Contracts-upgradeable +1 more

Timeline

PublishedApr 17

Description

OpenZeppelin Contracts is a library for secure smart contract development. A function in the implementation contract may be inaccessible if its selector clashes with one of the proxy's own selectors. Specifically, if the clashing function has a different signature with incompatible ABI encoding, the proxy could revert while attempting to decode the arguments from calldata. The probability of an accidental clash is negligible, but one could be caused deliberately and could cause a reduction in av…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4

Affected Packages5 packages

▶NVDopenzeppelin/contracts3.2.0 — 4.8.3

▶npmopenzeppelin/contracts3.2.0 — 4.8.3

▶NVDopenzeppelin/contracts_upgradeable3.2.0 — 4.8.3

▶npmopenzeppelin/contracts-upgradeable3.2.0 — 4.8.3

▶CVEListV5openzeppelin/openzeppelin-contracts@openzeppelin/contracts-upgradeable: >=3.2.0, <4.8.3, @openzeppelin/contracts: >= 3.2.0, < 4.8.3+1

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

OpenZeppelin Contracts TransparentUpgradeableProxy clashing selector calls may not be delegated↗2023-04-17

▶

OSV

OpenZeppelin Contracts TransparentUpgradeableProxy clashing selector calls may not be delegated↗2023-04-17

▶