GHSA-5vp3-v4hc-gx76

Source

https://github.com/advisories/GHSA-5vp3-v4hc-gx76

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-5vp3-v4hc-gx76/GHSA-5vp3-v4hc-gx76.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-5vp3-v4hc-gx76

Aliases

CVE-2021-41264

Related

CVE-2021-41264

Published

2021-09-15T20:23:17Z

Modified

2023-11-08T04:06:57.727712Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

UUPSUpgradeable vulnerability in @openzeppelin/contracts

Details

Impact

Upgradeable contracts using UUPSUpgradeable may be vulnerable to an attack affecting uninitialized implementation contracts. We will update this advisory with more information soon.

Patches

A fix is included in version 4.3.2 of @openzeppelin/contracts and @openzeppelin/contracts-upgradeable.

Workarounds

Initialize implementation contracts using UUPSUpgradeable by invoking the initializer function (usually called initialize). An example is provided in the forum.

References

Post-mortem.

For more information

If you have any questions or comments about this advisory, or need assistance executing the mitigation, email us at security@openzeppelin.com.

Database specific

{
    "nvd_published_at": "2021-11-12T18:15:00Z",
    "github_reviewed_at": "2021-09-14T22:17:42Z",
    "severity": "CRITICAL",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-665"
    ]
}

References

Affected packages

npm / @openzeppelin/contracts

Package

Name: @openzeppelin/contracts; View open source insights on deps.dev
Purl: pkg:npm/%40openzeppelin/contracts

Affected ranges

Type: SEMVER
Events: Introduced

4.1.0

Fixed

4.3.2

npm / @openzeppelin/contracts-upgradeable

Package

Name: @openzeppelin/contracts-upgradeable; View open source insights on deps.dev
Purl: pkg:npm/%40openzeppelin/contracts-upgradeable

Affected ranges

Type: SEMVER
Events: Introduced

4.1.0

Fixed

4.3.2