GHSA-699g-q6qh-q4v8

Source

https://github.com/advisories/GHSA-699g-q6qh-q4v8

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-699g-q6qh-q4v8/GHSA-699g-q6qh-q4v8.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-699g-q6qh-q4v8

Aliases

CVE-2023-49798

Published

2023-12-12T00:49:25Z

Modified

2023-12-12T01:26:47.337306Z

Severity

5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

OpenZeppelin Contracts and Contracts Upgradeable duplicated execution of subcalls in v4.9.4

Details

Context

Merge conflict resolution issue when porting the v5.0.1 Multicall update to the v4.9 branch caused a duplicated line.

Impact

Versions using Multicall from @openzeppelin/contracts@4.9.4 and @openzeppelin/contracts-upgradeable@4.9.4 will execute each subcall twice. Concretely, this exposes a user to unintentionally duplicate operations like asset transfers.

Patches

The duplicated delegatecall was removed in 4.9.5. The 4.9.4 version is marked as deprecated.

Database specific

{
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-670"
    ],
    "nvd_published_at": "2023-12-09T00:15:06Z",
    "github_reviewed_at": "2023-12-12T00:49:25Z",
    "severity": "MODERATE"
}

References

Affected packages

npm / @openzeppelin/contracts

Package

Name: @openzeppelin/contracts; View open source insights on deps.dev
Purl: pkg:npm/%40openzeppelin/contracts

Affected ranges

Type: SEMVER
Events: Introduced

4.9.4

Fixed

4.9.5

Affected versions

4.*

4.9.4

npm / @openzeppelin/contracts-upgradeable

Package

Name: @openzeppelin/contracts-upgradeable; View open source insights on deps.dev
Purl: pkg:npm/%40openzeppelin/contracts-upgradeable