CVE-2023-34459 — Improper Validation of Integrity Check Value in Contracts

CWE-354 — Improper Validation of Integrity Check Value3 documents3 sources

Severity

5.9MEDIUMNVD

EPSS

0.9%

top 24.89%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openzeppelin Contracts Openzeppelin Contracts Upgradeable Openzeppelin Contracts-upgradeable +1 more

Timeline

PublishedJun 16

Latest updateJun 19

Description

OpenZeppelin Contracts is a library for smart contract development. Starting in version 4.7.0 and prior to version 4.9.2, when the `verifyMultiProof`, `verifyMultiProofCalldata`, `procesprocessMultiProof`, or `processMultiProofCalldat` functions are in use, it is possible to construct merkle trees that allow forging a valid multiproof for an arbitrary set of leaves. A contract may be vulnerable if it uses multiproofs for verification and the merkle tree that is processed includes a node with va…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages5 packages

▶NVDopenzeppelin/contracts4.7.0 — 4.9.2

▶npmopenzeppelin/contracts4.7.0 — 4.9.2

▶NVDopenzeppelin/contracts_upgradeable4.7.0 — 4.9.2

▶npmopenzeppelin/contracts-upgradeable4.7.0 — 4.9.2

▶CVEListV5openzeppelin/openzeppelin-contracts>= 4.7.0, < 4.9.2

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

OpenZeppelin Contracts using MerkleProof multiproofs may allow proving arbitrary leaves for specific trees↗2023-06-19

▶

GHSA

OpenZeppelin Contracts using MerkleProof multiproofs may allow proving arbitrary leaves for specific trees↗2023-06-19

▶