CVE-2024-45304Always-Incorrect Control Flow Implementation in Cairo-contracts

CWE-670Always-Incorrect Control Flow Implementation1 documents1 sources
Severity
6.5MEDIUMNVD
EPSS
0.4%
top 37.21%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Openzeppelin Cairo-contractsOpenzeppelin Contracts
Timeline
PublishedAug 31

Description

Cairo-Contracts are OpenZeppelin Contracts written in Cairo for Starknet, a decentralized ZK Rollup. This vulnerability can lead to unauthorized ownership transfer, contrary to the original owner's intention of leaving the contract without an owner. It introduces a security risk where an unintended party (pending owner) can gain control of the contract after the original owner has renounced ownership. This could also be used by a malicious owner to simulate leaving a contract without an owner, t

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

CVEListV5openzeppelin/cairo-contracts< 0.16.0

Patches

Patch: github.com