GHSA-88g8-f5mf-f5rj
Suggest an improvement- Source
- https://github.com/advisories/GHSA-88g8-f5mf-f5rj
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-88g8-f5mf-f5rj/GHSA-88g8-f5mf-f5rj.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-88g8-f5mf-f5rj
- Aliases
- Published
- 2022-02-05T00:00:31Z
- Modified
- 2025-01-14T10:12:19.344190Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
- Summary
- Improper Initialization in OpenZeppelin
- Details
-
In OpenZeppelin <=v4.4.0, initializer functions that are invoked separate from contract creation (the most prominent example being minimal proxies) may be reentered if they make an untrusted non-view external call. Once an initializer has finished running it can never be re-executed. However, an exception put in place to support multiple inheritance made reentrancy possible, breaking the expectation that there is a single execution.
- Database specific
{ "severity": "HIGH", "github_reviewed": true, "cwe_ids": [ "CWE-665" ], "nvd_published_at": "2022-02-04T12:15:00Z", "github_reviewed_at": "2022-02-11T16:20:03Z" }- References
-
- https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-9c22-pwxw-p6hx
- https://nvd.nist.gov/vuln/detail/CVE-2021-46320
- https://github.com/OpenZeppelin/openzeppelin-contracts/pull/3006
- https://github.com/OpenZeppelin/openzeppelin-contracts
- https://github.com/OpenZeppelin/openzeppelin-contracts/releases/tag/v4.4.1
Affected packages
npm / @openzeppelin/contracts
Package
- Name
- @openzeppelin/contracts
- View open source insights on deps.dev
- Purl
- pkg:npm/%40openzeppelin/contracts