Skip to main content

Contracts CVE-2023-23940

MEDIUM
Insufficient Verification of Data Authenticity (CWE-345)
2023-02-03 security-advisories@github.com
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Feb 03, 2023 - 20:15 nvd
MEDIUM 5.3

DescriptionNVD

OpenZeppelin Contracts for Cairo is a library for secure smart contract development written in Cairo for StarkNet, a decentralized ZK Rollup. is_valid_eth_signature is missing a call to finalize_keccak after calling verify_eth_signature. As a result, any contract using is_valid_eth_signature from the account library (such as the EthAccount preset) is vulnerable to a malicious sequencer. Specifically, the malicious sequencer would be able to bypass signature validation to impersonate an instance of these accounts. The issue has been patched in 0.6.1.

AnalysisAI

OpenZeppelin Contracts for Cairo is a library for secure smart contract development written in Cairo for StarkNet, a decentralized ZK Rollup. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable.

Technical ContextAI

This vulnerability is classified under CWE-345. OpenZeppelin Contracts for Cairo is a library for secure smart contract development written in Cairo for StarkNet, a decentralized ZK Rollup. is_valid_eth_signature is missing a call to finalize_keccak after calling verify_eth_signature. As a result, any contract using is_valid_eth_signature from the account library (such as the EthAccount preset) is vulnerable to a malicious sequencer. Specifically, the malicious sequencer would be able to bypass signature validation to impersonate an instance of these accounts. The issue has been patched in 0.6.1. Affected products include: Openzeppelin Contracts.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2022-31153 MEDIUM POC
6.5 Jul 15

OpenZeppelin Contracts for Cairo is a library for contract development written in Cairo for StarkNet, a decentralized ZK

CVE-2021-41264 CRITICAL
9.8 Nov 12

OpenZeppelin Contracts is a library for smart contract development. Rated critical severity (CVSS 9.8), this vulnerabili

CVE-2021-39168 CRITICAL
9.8 Aug 27

OpenZepplin is a library for smart contract development. Rated critical severity (CVSS 9.8), this vulnerability is remot

CVE-2021-39167 CRITICAL
9.8 Aug 27

OpenZepplin is a library for smart contract development. Rated critical severity (CVSS 9.8), this vulnerability is remot

CVE-2023-30542 HIGH
8.8 Apr 16

OpenZeppelin Contracts is a library for secure smart contract development. Rated high severity (CVSS 8.8), this vulnerab

CVE-2023-49798 HIGH
7.5 Dec 09

OpenZeppelin Contracts is a library for smart contract development. Rated high severity (CVSS 7.5), this vulnerability i

CVE-2022-31198 HIGH
7.5 Aug 01

OpenZeppelin Contracts is a library for secure smart contract development. Rated high severity (CVSS 7.5), this vulnerab

CVE-2022-31172 HIGH
7.5 Jul 22

OpenZeppelin Contracts is a library for smart contract development. Rated high severity (CVSS 7.5), this vulnerability i

CVE-2022-31170 HIGH
7.5 Jul 22

OpenZeppelin Contracts is a library for smart contract development. Rated high severity (CVSS 7.5), this vulnerability i

CVE-2024-27094 HIGH
7.4 Mar 21

OpenZeppelin Contracts is a library for secure smart contract development. Rated high severity (CVSS 7.4), this vulnerab

CVE-2024-45304 MEDIUM
6.5 Aug 31

Cairo-Contracts are OpenZeppelin Contracts written in Cairo for Starknet, a decentralized ZK Rollup. Rated medium severi

CVE-2023-26488 MEDIUM
6.5 Mar 03

OpenZeppelin Contracts is a library for secure smart contract development. Rated medium severity (CVSS 6.5), this vulner

Share

CVE-2023-23940 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy