GHSA-699g-q6qh-q4v8

Suggest an improvement
Source
https://github.com/advisories/GHSA-699g-q6qh-q4v8
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-699g-q6qh-q4v8/GHSA-699g-q6qh-q4v8.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-699g-q6qh-q4v8
Aliases
Related
Published
2023-12-12T00:49:25Z
Modified
2023-12-12T01:26:47.337306Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
OpenZeppelin Contracts and Contracts Upgradeable duplicated execution of subcalls in v4.9.4
Details

Context

Merge conflict resolution issue when porting the v5.0.1 Multicall update to the v4.9 branch caused a duplicated line.

Impact

Versions using Multicall from @openzeppelin/contracts@4.9.4 and @openzeppelin/contracts-upgradeable@4.9.4 will execute each subcall twice. Concretely, this exposes a user to unintentionally duplicate operations like asset transfers.

Patches

The duplicated delegatecall was removed in 4.9.5. The 4.9.4 version is marked as deprecated.

Database specific 
{
    "nvd_published_at": "2023-12-09T00:15:06Z",
    "cwe_ids": [
        "CWE-670"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-12-12T00:49:25Z"
}
References

Affected packages

npm / @openzeppelin/contracts

Package

Name
@openzeppelin/contracts
View open source insights on deps.dev
Purl
pkg:npm/%40openzeppelin/contracts

Affected ranges

Type
SEMVER
Events
Introduced
4.9.4
Fixed
4.9.5

Affected versions

4.*

4.9.4

npm / @openzeppelin/contracts-upgradeable

Package

Name
@openzeppelin/contracts-upgradeable
View open source insights on deps.dev
Purl
pkg:npm/%40openzeppelin/contracts-upgradeable

Affected ranges

Type
SEMVER
Events
Introduced
4.9.4
Fixed
4.9.5

Affected versions

4.*

4.9.4