Skip to main content

Contracts CVE-2022-31198

HIGH
Incorrect Calculation (CWE-682)
2022-08-01 security-advisories@github.com
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

1
CVE Published
Aug 01, 2022 - 21:15 nvd
HIGH 7.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 14 npm packages depend on @openzeppelin/contracts (6 direct, 8 indirect)
  • 1 npm packages depend on @openzeppelin/contracts-upgradeable (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 4.3.0 and other introduced versions.

DescriptionNVD

OpenZeppelin Contracts is a library for secure smart contract development. This issue concerns instances of Governor that use the module GovernorVotesQuorumFraction, a mechanism that determines quorum requirements as a percentage of the voting token's total supply. In affected instances, when a proposal is passed to lower the quorum requirements, past proposals may become executable if they had been defeated only due to lack of quorum, and the number of votes it received meets the new quorum requirement. Analysis of instances on chain found only one proposal that met this condition, and we are actively monitoring for new occurrences of this particular issue. This issue has been patched in v4.7.2. Users are advised to upgrade. Users unable to upgrade should consider avoiding lowering quorum requirements if a past proposal was defeated for lack of quorum.

AnalysisAI

OpenZeppelin Contracts is a library for secure smart contract development. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Technical ContextAI

This vulnerability is classified under CWE-682. OpenZeppelin Contracts is a library for secure smart contract development. This issue concerns instances of Governor that use the module GovernorVotesQuorumFraction, a mechanism that determines quorum requirements as a percentage of the voting token's total supply. In affected instances, when a proposal is passed to lower the quorum requirements, past proposals may become executable if they had been defeated only due to lack of quorum, and the number of votes it received meets the new quorum requirement. Analysis of instances on chain found only one proposal that met this condition, and we are actively monitoring for new occurrences of this particular issue. This issue has been patched in v4.7.2. Users are advised to upgrade. Users unable to upgrade should consider avoiding lowering quorum requirements if a past proposal was defeated for lack of quorum. Affected products include: Openzeppelin Contracts, Openzeppelin Contracts Upgradeable.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2022-31153 MEDIUM POC
6.5 Jul 15

OpenZeppelin Contracts for Cairo is a library for contract development written in Cairo for StarkNet, a decentralized ZK

CVE-2021-41264 CRITICAL
9.8 Nov 12

OpenZeppelin Contracts is a library for smart contract development. Rated critical severity (CVSS 9.8), this vulnerabili

CVE-2021-39168 CRITICAL
9.8 Aug 27

OpenZepplin is a library for smart contract development. Rated critical severity (CVSS 9.8), this vulnerability is remot

CVE-2021-39167 CRITICAL
9.8 Aug 27

OpenZepplin is a library for smart contract development. Rated critical severity (CVSS 9.8), this vulnerability is remot

CVE-2023-30542 HIGH
8.8 Apr 16

OpenZeppelin Contracts is a library for secure smart contract development. Rated high severity (CVSS 8.8), this vulnerab

CVE-2023-49798 HIGH
7.5 Dec 09

OpenZeppelin Contracts is a library for smart contract development. Rated high severity (CVSS 7.5), this vulnerability i

CVE-2022-31172 HIGH
7.5 Jul 22

OpenZeppelin Contracts is a library for smart contract development. Rated high severity (CVSS 7.5), this vulnerability i

CVE-2022-31170 HIGH
7.5 Jul 22

OpenZeppelin Contracts is a library for smart contract development. Rated high severity (CVSS 7.5), this vulnerability i

CVE-2024-27094 HIGH
7.4 Mar 21

OpenZeppelin Contracts is a library for secure smart contract development. Rated high severity (CVSS 7.4), this vulnerab

CVE-2024-45304 MEDIUM
6.5 Aug 31

Cairo-Contracts are OpenZeppelin Contracts written in Cairo for Starknet, a decentralized ZK Rollup. Rated medium severi

CVE-2023-26488 MEDIUM
6.5 Mar 03

OpenZeppelin Contracts is a library for secure smart contract development. Rated medium severity (CVSS 6.5), this vulner

CVE-2022-35961 MEDIUM
6.5 Aug 15

OpenZeppelin Contracts is a library for secure smart contract development. Rated medium severity (CVSS 6.5), this vulner

Share

CVE-2022-31198 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy