CVE-2023-49798

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-49798

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-49798.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-49798

Aliases

GHSA-699g-q6qh-q4v8

Related

GHSA-699g-q6qh-q4v8

Published

2023-12-09T00:15:06Z

Modified

2025-01-15T05:02:12.442814Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

[none]

Details

OpenZeppelin Contracts is a library for smart contract development. A merge issue when porting the 5.0.1 patch to the 4.9 branch caused a line duplication. In the version of Multicall.sol released in @openzeppelin/contracts@4.9.4 and @openzeppelin/contracts-upgradeable@4.9.4, all subcalls are executed twice. Concretely, this exposes a user to unintentionally duplicate operations like asset transfers. The duplicated delegatecall was removed in version 4.9.5. The 4.9.4 version is marked as deprecated. Users are advised to upgrade. There are no known workarounds for this issue.

References

Affected packages

Git / github.com/openzeppelin/openzeppelin-contracts

Affected ranges

Type: GIT
Repo: https://github.com/openzeppelin/openzeppelin-contracts
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

88ac712e06832bce73b41e8166cded2729e25205

Fixed

88ac712e06832bce73b41e8166cded2729e25205

Type: GIT
Repo: https://github.com/openzeppelin/openzeppelin-contracts-upgradeable
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

f55babcbeef1d1c42c8e0f8884abcd6663a7909f

Affected versions

v1.*

v1.0.0

v1.0.1

v1.0.2

v1.0.3

v1.0.4

v1.0.5

v1.0.6

v1.0.7

v1.1.0

v1.10.0

v1.11.0

v1.11.0-rc.1

v1.12.0

v1.12.0-rc.1

v1.12.0-rc.2

v1.2.0

v1.3.0

v1.4.0

v1.5.0

v1.6.0

v1.7.0

v1.8.0

v1.9.0

v2.*

v2.0.0

v2.0.0-rc.1

v2.0.0-rc.2

v2.0.0-rc.3

v2.0.0-rc.4

v2.0.1

v2.1.0-rc.1

v2.1.0-rc.2

v2.1.1

v2.1.2

v2.1.3

v2.2.0

v2.2.0-rc.1

v2.3.0

v2.3.0-rc.0

v2.3.0-rc.1

v2.3.0-rc.2

v2.3.0-rc.3

v2.4.0

v2.4.0-beta.0

v2.4.0-beta.1

v2.4.0-beta.2

v2.5.0

v2.5.0-rc.0

v2.5.1

v3.*

v3.0.0

v3.0.0-rc.0

v3.0.0-rc.1

v3.0.1

v3.0.2

v3.1.0

v3.1.0-rc.0

v3.1.0-solc-0.7

v3.2.0

v3.2.0-rc.0

v3.2.1-solc-0.7

v3.2.2-solc-0.7

v3.3.0

v3.3.0-rc.0

v3.3.0-rc.1

v3.3.0-rc.2

v3.4.0

v3.4.0-rc.0

v4.*

v4.0.0

v4.0.0-beta.0

v4.0.0-beta.1

v4.0.0-rc.0

v4.1.0

v4.1.0-rc.0

v4.2.0

v4.2.0-rc.0

v4.3.0

v4.3.0-rc.0

v4.3.1

v4.3.2

v4.4.0

v4.4.0-rc.0

v4.4.0-rc.1

v4.4.1

v4.8.0

v4.8.0-rc.0

v4.8.0-rc.1

v4.8.0-rc.2

v4.9.0

v4.9.0-rc.0

v4.9.0-rc.1

v4.9.1

v4.9.2

v4.9.3

v4.9.4