Skip to main content

Contracts CVE-2022-35915

MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2022-08-01 security-advisories@github.com
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

1
CVE Published
Aug 01, 2022 - 21:15 nvd
MEDIUM 5.3

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 40 npm packages depend on openzeppelin-solidity (26 direct, 14 indirect)

Ecosystem-wide dependent count for version 2.0.0.

DescriptionNVD

OpenZeppelin Contracts is a library for secure smart contract development. The target contract of an EIP-165 supportsInterface query can cause unbounded gas consumption by returning a lot of data, while it is generally assumed that this operation has a bounded cost. The issue has been fixed in v4.7.2. Users are advised to upgrade. There are no known workarounds for this issue.

AnalysisAI

OpenZeppelin Contracts is a library for secure smart contract development. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Technical ContextAI

This vulnerability is classified as Uncontrolled Resource Consumption (CWE-400), which allows attackers to cause denial of service by exhausting system resources. OpenZeppelin Contracts is a library for secure smart contract development. The target contract of an EIP-165 supportsInterface query can cause unbounded gas consumption by returning a lot of data, while it is generally assumed that this operation has a bounded cost. The issue has been fixed in v4.7.2. Users are advised to upgrade. There are no known workarounds for this issue. Affected products include: Openzeppelin Contracts, Openzeppelin Contracts Upgradeable, Openzeppelin Openzeppelin-Eth, Openzeppelin Openzeppelin-Solidity.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Implement rate limiting, set resource quotas, validate input sizes, use timeouts.

CVE-2022-31153 MEDIUM POC
6.5 Jul 15

OpenZeppelin Contracts for Cairo is a library for contract development written in Cairo for StarkNet, a decentralized ZK

CVE-2021-41264 CRITICAL
9.8 Nov 12

OpenZeppelin Contracts is a library for smart contract development. Rated critical severity (CVSS 9.8), this vulnerabili

CVE-2021-39168 CRITICAL
9.8 Aug 27

OpenZepplin is a library for smart contract development. Rated critical severity (CVSS 9.8), this vulnerability is remot

CVE-2021-39167 CRITICAL
9.8 Aug 27

OpenZepplin is a library for smart contract development. Rated critical severity (CVSS 9.8), this vulnerability is remot

CVE-2023-30542 HIGH
8.8 Apr 16

OpenZeppelin Contracts is a library for secure smart contract development. Rated high severity (CVSS 8.8), this vulnerab

CVE-2023-49798 HIGH
7.5 Dec 09

OpenZeppelin Contracts is a library for smart contract development. Rated high severity (CVSS 7.5), this vulnerability i

CVE-2022-31198 HIGH
7.5 Aug 01

OpenZeppelin Contracts is a library for secure smart contract development. Rated high severity (CVSS 7.5), this vulnerab

CVE-2022-31172 HIGH
7.5 Jul 22

OpenZeppelin Contracts is a library for smart contract development. Rated high severity (CVSS 7.5), this vulnerability i

CVE-2022-31170 HIGH
7.5 Jul 22

OpenZeppelin Contracts is a library for smart contract development. Rated high severity (CVSS 7.5), this vulnerability i

CVE-2024-27094 HIGH
7.4 Mar 21

OpenZeppelin Contracts is a library for secure smart contract development. Rated high severity (CVSS 7.4), this vulnerab

CVE-2024-45304 MEDIUM
6.5 Aug 31

Cairo-Contracts are OpenZeppelin Contracts written in Cairo for Starknet, a decentralized ZK Rollup. Rated medium severi

CVE-2023-26488 MEDIUM
6.5 Mar 03

OpenZeppelin Contracts is a library for secure smart contract development. Rated medium severity (CVSS 6.5), this vulner

Share

CVE-2022-35915 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy