CVE-2023-23940

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2023-23940
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-23940.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-23940
Aliases
Published
2023-02-03T20:15:11Z
Modified
2024-06-06T14:15:36.676393Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

OpenZeppelin Contracts for Cairo is a library for secure smart contract development written in Cairo for StarkNet, a decentralized ZK Rollup. is_valid_eth_signature is missing a call to finalize_keccak after calling verify_eth_signature. As a result, any contract using is_valid_eth_signature from the account library (such as the EthAccount preset) is vulnerable to a malicious sequencer. Specifically, the malicious sequencer would be able to bypass signature validation to impersonate an instance of these accounts. The issue has been patched in 0.6.1.

References

Affected packages

Git / github.com/openzeppelin/cairo-contracts

Affected ranges

Type
GIT
Repo
https://github.com/openzeppelin/cairo-contracts
Events
Introduced
d3ee30b9368d52d82dc52e2a4e7c9f93a04e171f
Fixed
1f9359219a92cdb1576f953db71ee993b8ef5f70

Affected versions

v0.*

v0.2.0
v0.2.1