CVE-2023-30542
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2023-30542
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-30542.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2023-30542
- Aliases
- Related
- Published
- 2023-04-16T08:15:07Z
- Modified
- 2025-07-29T10:52:13.947419Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
OpenZeppelin Contracts is a library for secure smart contract development. The proposal creation entrypoint (
propose) inGovernorCompatibilityBravoallows the creation of proposals with asignaturesarray shorter than thecalldatasarray. This causes the additional elements of the latter to be ignored, and if the proposal succeeds the corresponding actions would eventually execute without any calldata. TheProposalCreatedevent correctly represents what will eventually execute, but the proposal parameters as queried throughgetActionsappear to respect the original intended calldata. This issue has been patched in 4.8.3. As a workaround, ensure that all proposals that pass through governance have equal lengthsignaturesandcalldatasparameters. - References
Affected packages
Git / github.com/openzeppelin/openzeppelin-contracts
Affected ranges
- Type
- GIT
- Repo
- https://github.com/openzeppelin/openzeppelin-contracts
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
- Type
- GIT
- Repo
- https://github.com/openzeppelin/openzeppelin-contracts-upgradeable
- Events