GHSA-626q-v9j4-mcp4

Source

https://github.com/advisories/GHSA-626q-v9j4-mcp4

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-626q-v9j4-mcp4/GHSA-626q-v9j4-mcp4.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-626q-v9j4-mcp4

Aliases

CVE-2023-23940

Published

2023-02-02T16:59:46Z

Modified

2024-10-07T21:26:33.861886Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
6.0 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

OpenZeppelin Contracts contains Improper Verification of Cryptographic Signature

Details

Cause

is_valid_eth_signature is missing a call to finalize_keccak after calling verify_eth_signature.

Impact

As a result, any contract using is_valid_eth_signature from the account library (such as the EthAccount preset) is vulnerable to a malicious sequencer. Specifically, the malicious sequencer would be able to bypass signature validation to impersonate an instance of these accounts.

Risk

In order to exploit this vulnerability, it is required to control a sequencer or prover since they're the ones executing the hints, being able to inject incorrect keccak results.

Today StarkWare is the only party running both a prover or a sequencer, greatly reducing the risk of exploit.

Patches

The issue has been patched in 0.6.1.

For more information

If you have any questions or comments about this advisory: * Open an issue in the Contracts for Cairo repository * Email us at security@openzeppelin.com

References

Affected packages

PyPI / openzeppelin-cairo-contracts

Package

Name: openzeppelin-cairo-contracts; View open source insights on deps.dev
Purl: pkg:pypi/openzeppelin-cairo-contracts

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0.2.0

Fixed

0.6.1

Affected versions

0.*

0.2.0

0.2.1

0.3.0

0.3.1

0.3.2

0.4.0b0

0.4.0

0.5.0

0.5.1

0.6.0