GHSA-mx2q-35m2-x2rh

Suggest an improvement
Source
https://github.com/advisories/GHSA-mx2q-35m2-x2rh
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-mx2q-35m2-x2rh/GHSA-mx2q-35m2-x2rh.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-mx2q-35m2-x2rh
Aliases
Related
Published
2023-04-17T16:45:21Z
Modified
2023-11-08T04:12:24.881566Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
Summary
OpenZeppelin Contracts TransparentUpgradeableProxy clashing selector calls may not be delegated
Details

Impact

A function in the implementation contract may be inaccessible if its selector clashes with one of the proxy's own selectors. Specifically, if the clashing function has a different signature with incompatible ABI encoding, the proxy could revert while attempting to decode the arguments from calldata.

The probability of an accidental clash is negligible, but one could be caused deliberately.

Patches

The issue has been fixed in v4.8.3.

Workarounds

If a function appears to be inaccessible for this reason, it may be possible to craft the calldata such that ABI decoding does not fail at the proxy and the function is properly proxied through.

References

https://github.com/OpenZeppelin/openzeppelin-contracts/pull/4154

Database specific 
{
    "nvd_published_at": "2023-04-17T22:15:10Z",
    "cwe_ids": [
        "CWE-436"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-04-17T16:45:21Z"
}
References

Affected packages

npm / @openzeppelin/contracts

Package

Name
@openzeppelin/contracts
View open source insights on deps.dev
Purl
pkg:npm/%40openzeppelin/contracts

Affected ranges

Type
SEMVER
Events
Introduced
3.2.0
Fixed
4.8.3

npm / @openzeppelin/contracts-upgradeable

Package

Name
@openzeppelin/contracts-upgradeable
View open source insights on deps.dev
Purl
pkg:npm/%40openzeppelin/contracts-upgradeable

Affected ranges

Type
SEMVER
Events
Introduced
3.2.0
Fixed
4.8.3