Skip to main content

Contracts CVE-2023-34459

MEDIUM
Improper Validation of Integrity Check Value (CWE-354)
2023-06-16 security-advisories@github.com
5.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.9 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

1
CVE Published
Jun 16, 2023 - 23:15 nvd
MEDIUM 5.9

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 850 npm packages depend on @openzeppelin/contracts (117 direct, 742 indirect)
  • 13 npm packages depend on @openzeppelin/contracts-upgradeable (9 direct, 4 indirect)

Ecosystem-wide dependent count for version 4.7.0 and other introduced versions.

DescriptionNVD

OpenZeppelin Contracts is a library for smart contract development. Starting in version 4.7.0 and prior to version 4.9.2, when the verifyMultiProof, verifyMultiProofCalldata, procesprocessMultiProof, or processMultiProofCalldat functions are in use, it is possible to construct merkle trees that allow forging a valid multiproof for an arbitrary set of leaves.

A contract may be vulnerable if it uses multiproofs for verification and the merkle tree that is processed includes a node with value 0 at depth 1 (just under the root). This could happen inadvertedly for balanced trees with 3 leaves or less, if the leaves are not hashed. This could happen deliberately if a malicious tree builder includes such a node in the tree.

A contract is not vulnerable if it uses single-leaf proving (verify, verifyCalldata, processProof, or processProofCalldata), or if it uses multiproofs with a known tree that has hashed leaves. Standard merkle trees produced or validated with the @openzeppelin/merkle-tree library are safe.

The problem has been patched in version 4.9.2.

Some workarounds are available. For those using multiproofs: When constructing merkle trees hash the leaves and do not insert empty nodes in your trees. Using the @openzeppelin/merkle-tree package eliminates this issue. Do not accept user-provided merkle roots without reconstructing at least the first level of the tree. Verify the merkle tree structure by reconstructing it from the leaves.

AnalysisAI

OpenZeppelin Contracts is a library for smart contract development. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Technical ContextAI

This vulnerability is classified under CWE-354. OpenZeppelin Contracts is a library for smart contract development. Starting in version 4.7.0 and prior to version 4.9.2, when the verifyMultiProof, verifyMultiProofCalldata, procesprocessMultiProof, or processMultiProofCalldat functions are in use, it is possible to construct merkle trees that allow forging a valid multiproof for an arbitrary set of leaves. A contract may be vulnerable if it uses multiproofs for verification and the merkle tree that is processed includes a node with value 0 at depth 1 (just under the root). This could happen inadvertedly for balanced trees with 3 leaves or less, if the leaves are not hashed. This could happen deliberately if a malicious tree builder includes such a node in the tree. A contract is not vulnerable if it uses single-leaf proving (verify, verifyCalldata, processProof, or processProofCalldata), or if it uses multiproofs with a known tree that has hashed leaves. Standard merkle trees produced or validated with the @openzeppelin/merkle-tree library are safe. The problem has been patched in version 4.9.2. Some workarounds are available. For those using multiproofs: When constructing merkle trees hash the leaves and do not insert empty nodes in your trees. Using the @openzeppelin/merkle-tree package eliminates this issue. Do not accept user-provided merkle roots without reconstructing at least the first level of the tree. Verify the merkle tree structure by reconstructing it from the leaves. Affected products include: Openzeppelin Contracts, Openzeppelin Contracts Upgradeable. Version information: version 4.7.0.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2022-31153 MEDIUM POC
6.5 Jul 15

OpenZeppelin Contracts for Cairo is a library for contract development written in Cairo for StarkNet, a decentralized ZK

CVE-2021-41264 CRITICAL
9.8 Nov 12

OpenZeppelin Contracts is a library for smart contract development. Rated critical severity (CVSS 9.8), this vulnerabili

CVE-2021-39168 CRITICAL
9.8 Aug 27

OpenZepplin is a library for smart contract development. Rated critical severity (CVSS 9.8), this vulnerability is remot

CVE-2021-39167 CRITICAL
9.8 Aug 27

OpenZepplin is a library for smart contract development. Rated critical severity (CVSS 9.8), this vulnerability is remot

CVE-2023-30542 HIGH
8.8 Apr 16

OpenZeppelin Contracts is a library for secure smart contract development. Rated high severity (CVSS 8.8), this vulnerab

CVE-2023-49798 HIGH
7.5 Dec 09

OpenZeppelin Contracts is a library for smart contract development. Rated high severity (CVSS 7.5), this vulnerability i

CVE-2022-31198 HIGH
7.5 Aug 01

OpenZeppelin Contracts is a library for secure smart contract development. Rated high severity (CVSS 7.5), this vulnerab

CVE-2022-31172 HIGH
7.5 Jul 22

OpenZeppelin Contracts is a library for smart contract development. Rated high severity (CVSS 7.5), this vulnerability i

CVE-2022-31170 HIGH
7.5 Jul 22

OpenZeppelin Contracts is a library for smart contract development. Rated high severity (CVSS 7.5), this vulnerability i

CVE-2024-27094 HIGH
7.4 Mar 21

OpenZeppelin Contracts is a library for secure smart contract development. Rated high severity (CVSS 7.4), this vulnerab

CVE-2024-45304 MEDIUM
6.5 Aug 31

Cairo-Contracts are OpenZeppelin Contracts written in Cairo for Starknet, a decentralized ZK Rollup. Rated medium severi

CVE-2023-26488 MEDIUM
6.5 Mar 03

OpenZeppelin Contracts is a library for secure smart contract development. Rated medium severity (CVSS 6.5), this vulner

Share

CVE-2023-34459 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy