CVE-2022-31153

Published: Jul 15, 2022Modified: Nov 21, 2024

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

OpenZeppelin Contracts for Cairo is a library for contract development written in Cairo for StarkNet, a decentralized ZK Rollup. Version 0.2.0 is vulnerable to an error that renders account contracts unusable on live networks. This issue affects all accounts (vanilla and ethereum flavors) in the v0.2.0 release of OpenZeppelin Contracts for Cairo, which are not whitelisted on StarkNet mainnet. Only goerli deployments of v0.2.0 accounts are affected. This faulty behavior is not observed in StarkNet's testing framework. This bug has been patched in v0.2.1.

Affected (1)

Products: Openzeppelin: Contracts

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Openzeppelin Contracts	Version 0.2.0

Related CWEs

Improper Control of a Resource Through its Lifetime

The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (12)

https://github.com/OpenZeppelin/cairo-contracts/blob/release-0.2.0/src/openzeppelin/account/library.cairo#L203

Source: security-advisories@github.com

ExploitThird Party Advisory

https://github.com/OpenZeppelin/cairo-contracts/commit/2cd60279c3332285d47edf9ee3888b71257acdc9

Source: security-advisories@github.com

PatchThird Party Advisory

https://github.com/OpenZeppelin/cairo-contracts/issues/386

Source: security-advisories@github.com

ExploitIssue TrackingThird Party Advisory

https://github.com/OpenZeppelin/cairo-contracts/pull/387

Source: security-advisories@github.com

PatchThird Party Advisory

https://github.com/OpenZeppelin/cairo-contracts/releases/tag/v0.2.1

Source: security-advisories@github.com

Release NotesThird Party Advisory

https://github.com/OpenZeppelin/cairo-contracts/security/advisories/GHSA-8mjr-jr5h-q2xr

Source: security-advisories@github.com

Third Party Advisory

https://github.com/OpenZeppelin/cairo-contracts/blob/release-0.2.0/src/openzeppelin/account/library.cairo#L203

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://github.com/OpenZeppelin/cairo-contracts/commit/2cd60279c3332285d47edf9ee3888b71257acdc9

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/OpenZeppelin/cairo-contracts/issues/386

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitIssue TrackingThird Party Advisory

https://github.com/OpenZeppelin/cairo-contracts/pull/387

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/OpenZeppelin/cairo-contracts/releases/tag/v0.2.1

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesThird Party Advisory

https://github.com/OpenZeppelin/cairo-contracts/security/advisories/GHSA-8mjr-jr5h-q2xr

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.