Skip to main content

Contracts CVE-2022-35916

MEDIUM
Incorrect Resource Transfer Between Spheres (CWE-669)
2022-08-01 security-advisories@github.com
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Aug 01, 2022 - 21:15 nvd
MEDIUM 5.3

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 105 npm packages depend on @openzeppelin/contracts (50 direct, 58 indirect)
  • 18 npm packages depend on @openzeppelin/contracts-upgradeable (14 direct, 4 indirect)

Ecosystem-wide dependent count for version 4.6.0 and other introduced versions.

DescriptionNVD

OpenZeppelin Contracts is a library for secure smart contract development. Contracts using the cross chain utilities for Arbitrum L2, CrossChainEnabledArbitrumL2 or LibArbitrumL2, will classify direct interactions of externally owned accounts (EOAs) as cross chain calls, even though they are not started on L1. This issue has been patched in v4.7.2. Users are advised to upgrade. There are no known workarounds for this issue.

AnalysisAI

OpenZeppelin Contracts is a library for secure smart contract development. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Technical ContextAI

This vulnerability is classified under CWE-669. OpenZeppelin Contracts is a library for secure smart contract development. Contracts using the cross chain utilities for Arbitrum L2, CrossChainEnabledArbitrumL2 or LibArbitrumL2, will classify direct interactions of externally owned accounts (EOAs) as cross chain calls, even though they are not started on L1. This issue has been patched in v4.7.2. Users are advised to upgrade. There are no known workarounds for this issue. Affected products include: Openzeppelin Contracts, Openzeppelin Contracts Upgradeable.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2022-31153 MEDIUM POC
6.5 Jul 15

OpenZeppelin Contracts for Cairo is a library for contract development written in Cairo for StarkNet, a decentralized ZK

CVE-2021-41264 CRITICAL
9.8 Nov 12

OpenZeppelin Contracts is a library for smart contract development. Rated critical severity (CVSS 9.8), this vulnerabili

CVE-2021-39168 CRITICAL
9.8 Aug 27

OpenZepplin is a library for smart contract development. Rated critical severity (CVSS 9.8), this vulnerability is remot

CVE-2021-39167 CRITICAL
9.8 Aug 27

OpenZepplin is a library for smart contract development. Rated critical severity (CVSS 9.8), this vulnerability is remot

CVE-2023-30542 HIGH
8.8 Apr 16

OpenZeppelin Contracts is a library for secure smart contract development. Rated high severity (CVSS 8.8), this vulnerab

CVE-2023-49798 HIGH
7.5 Dec 09

OpenZeppelin Contracts is a library for smart contract development. Rated high severity (CVSS 7.5), this vulnerability i

CVE-2022-31198 HIGH
7.5 Aug 01

OpenZeppelin Contracts is a library for secure smart contract development. Rated high severity (CVSS 7.5), this vulnerab

CVE-2022-31172 HIGH
7.5 Jul 22

OpenZeppelin Contracts is a library for smart contract development. Rated high severity (CVSS 7.5), this vulnerability i

CVE-2022-31170 HIGH
7.5 Jul 22

OpenZeppelin Contracts is a library for smart contract development. Rated high severity (CVSS 7.5), this vulnerability i

CVE-2024-27094 HIGH
7.4 Mar 21

OpenZeppelin Contracts is a library for secure smart contract development. Rated high severity (CVSS 7.4), this vulnerab

CVE-2024-45304 MEDIUM
6.5 Aug 31

Cairo-Contracts are OpenZeppelin Contracts written in Cairo for Starknet, a decentralized ZK Rollup. Rated medium severi

CVE-2023-26488 MEDIUM
6.5 Mar 03

OpenZeppelin Contracts is a library for secure smart contract development. Rated medium severity (CVSS 6.5), this vulner

Share

CVE-2022-35916 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy