CVE-2023-34234 — Missing Authorization in Contracts

CWE-862 — Missing Authorization3 documents3 sources

Severity

5.3MEDIUMNVD

EPSS

0.1%

top 71.02%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openzeppelin Contracts Openzeppelin Contracts Upgradeable Openzeppelin Contracts-upgradeable +1 more

Timeline

PublishedJun 7

Latest updateJun 8

Description

OpenZeppelin Contracts is a library for smart contract development. By frontrunning the creation of a proposal, an attacker can become the proposer and gain the ability to cancel it. The attacker can do this repeatedly to try to prevent a proposal from being proposed at all. This impacts the `Governor` contract in v4.9.0 only, and the `GovernorCompatibilityBravo` contract since v4.3.0. This problem has been patched in 4.9.1 by introducing opt-in frontrunning protection. Users are advised to upgr…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4

Affected Packages5 packages

▶NVDopenzeppelin/contracts_upgradeable4.3.0 — 4.9.1

▶npmopenzeppelin/contracts-upgradeable4.3.0 — 4.9.1

▶NVDopenzeppelin/contracts4.3.0 — 4.9.1

▶npmopenzeppelin/contracts4.3.0 — 4.9.1

▶CVEListV5openzeppelin/openzeppelin-contracts>=4.3.0, < 4.9.1

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

OpenZeppelin Contracts's governor proposal creation may be blocked by frontrunning↗2023-06-08

▶

OSV

OpenZeppelin Contracts's governor proposal creation may be blocked by frontrunning↗2023-06-08

▶