GHSA-878m-3g6q-594q
Suggest an improvement- Source
- https://github.com/advisories/GHSA-878m-3g6q-594q
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-878m-3g6q-594q/GHSA-878m-3g6q-594q.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-878m-3g6q-594q
- Aliases
- Related
- Published
- 2023-03-03T20:02:16Z
- Modified
- 2023-11-08T04:12:02.209796Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
- Summary
- OpenZeppelin Contracts contains Incorrect Calculation
- Details
-
Impact
The ERC721Consecutive contract designed for minting NFTs in batches does not update balances when a batch has size 1 and consists of a single token. Subsequent transfers from the receiver of that token may overflow the balance as reported by
balanceOf.The issue exclusively presents with batches of size 1.
Patches
The issue has been patched in 4.8.2.
<!-- ### References -->
- Database specific
{ "nvd_published_at": "2023-03-03T22:15:00Z", "github_reviewed_at": "2023-03-03T20:02:16Z", "severity": "MODERATE", "github_reviewed": true, "cwe_ids": [ "CWE-682" ] }- References
-
- https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-878m-3g6q-594q
- https://nvd.nist.gov/vuln/detail/CVE-2023-26488
- https://github.com/OpenZeppelin/openzeppelin-contracts/commit/167bf67ed3907f4a674043496019fa346cee7705
- https://github.com/OpenZeppelin/openzeppelin-contracts
- https://github.com/OpenZeppelin/openzeppelin-contracts/releases/tag/v4.8.2
Affected packages
npm / @openzeppelin/contracts
Package
- Name
- @openzeppelin/contracts
- View open source insights on deps.dev
- Purl
- pkg:npm/%40openzeppelin/contracts
npm / @openzeppelin/contracts-upgradeable
Package
- Name
- @openzeppelin/contracts-upgradeable
- View open source insights on deps.dev
- Purl
- pkg:npm/%40openzeppelin/contracts-upgradeable