CVE-2021-46320

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-46320

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-46320.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2021-46320

Aliases

GHSA-88g8-f5mf-f5rj

Related

GHSA-9c22-pwxw-p6hx

Published

2022-02-04T12:15:07Z

Modified

2025-10-21T06:43:00.676368Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

[none]

Details

In OpenZeppelin <=v4.4.0, initializer functions that are invoked separate from contract creation (the most prominent example being minimal proxies) may be reentered if they make an untrusted non-view external call. Once an initializer has finished running it can never be re-executed. However, an exception put in place to support multiple inheritance made reentrancy possible, breaking the expectation that there is a single execution.

References

https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-9c22-pwxw-p6hx

Affected packages

Git / github.com/openzeppelin/openzeppelin-contracts

Affected ranges

Type: GIT
Repo: https://github.com/openzeppelin/openzeppelin-contracts
Events: Introduced

1ada3b633e5bfd9d4ffe0207d64773a11f5a7c40

Last affected

4961a51cc736c7d4aa9bd2e11e4cbbaff73efee9

Affected versions

v3.*

v3.1.0-solc-0.7

v3.2.0

v3.2.1-solc-0.7

v3.2.2-solc-0.7

v3.3.0

v3.3.0-rc.0

v3.3.0-rc.1

v3.3.0-rc.2

v3.4.0

v3.4.0-rc.0

v4.*

v4.0.0

v4.0.0-beta.0

v4.0.0-beta.1

v4.0.0-rc.0

v4.1.0

v4.1.0-rc.0

v4.2.0

v4.2.0-rc.0

v4.3.0

v4.3.0-rc.0

v4.3.1

v4.3.2

v4.4.0

v4.4.0-rc.0

v4.4.0-rc.1