CVE-2021-41264 - OpenCVE

OpenZeppelin Contracts is a library for smart contract development. In affected versions upgradeable contracts using `UUPSUpgradeable` may be vulnerable to an attack affecting uninitialized implementation contracts. A fix is included in version 4.3.2 of `@openzeppelin/contracts` and `@openzeppelin/contracts-upgradeable`. For users unable to upgrade; initialize implementation contracts using `UUPSUpgradeable` by invoking the initializer function (usually called `initialize`). An example is provided [in the forum](https://forum.openzeppelin.com/t/security-advisory-initialize-uups-implementation-contracts/15301).

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Openzeppelin	Contracts

Configuration 1 [-]

cpe:2.3:a:openzeppelin:contracts:*:*:*:*:*:node.js:*:*

References

Link	Resource
https://forum.openzeppelin.com/t/security-advisory-initialize-uups-implementation-contracts/15301	Issue Tracking Mitigation Patch Vendor Advisory
https://github.com/OpenZeppelin/openzeppelin-contracts/commit/024cc50df478d2e8f78539819749e94d6df60592	Patch Third Party Advisory
https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-5vp3-v4hc-gx76	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2021-11-12T17:55:11

Updated: 2021-11-12T17:55:11

Reserved: 2021-09-15T00:00:00

Link: CVE-2021-41264

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-11-12T18:15:07.733

Modified: 2021-11-15T15:01:51.643

Link: CVE-2021-41264

JSON object: View

Redhat Information

No data.

CWE

CWE-665

{"containers": {"cna": {"affected": [{"product": "openzeppelin-contracts", "vendor": "OpenZeppelin", "versions": [{"status": "affected", "version": ">= 4.1.0 < 4.3.2"}]}], "descriptions": [{"lang": "en", "value": "OpenZeppelin Contracts is a library for smart contract development. In affected versions upgradeable contracts using `UUPSUpgradeable` may be vulnerable to an attack affecting uninitialized implementation contracts. A fix is included in version 4.3.2 of `@openzeppelin/contracts` and `@openzeppelin/contracts-upgradeable`. For users unable to upgrade; initialize implementation contracts using `UUPSUpgradeable` by invoking the initializer function (usually called `initialize`). An example is provided [in the forum](https://forum.openzeppelin.com/t/security-advisory-initialize-uups-implementation-contracts/15301)."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-665", "description": "CWE-665: Improper Initialization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-11-12T17:55:11", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-5vp3-v4hc-gx76"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/OpenZeppelin/openzeppelin-contracts/commit/024cc50df478d2e8f78539819749e94d6df60592"}, {"tags": ["x_refsource_MISC"], "url": "https://forum.openzeppelin.com/t/security-advisory-initialize-uups-implementation-contracts/15301"}], "source": {"advisory": "GHSA-5vp3-v4hc-gx76", "discovery": "UNKNOWN"}, "title": "UUPSUpgradeable vulnerability in OpenZeppelin Contracts", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-41264", "STATE": "PUBLIC", "TITLE": "UUPSUpgradeable vulnerability in OpenZeppelin Contracts"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "openzeppelin-contracts", "version": {"version_data": [{"version_value": ">= 4.1.0 < 4.3.2"}]}}]}, "vendor_name": "OpenZeppelin"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "OpenZeppelin Contracts is a library for smart contract development. In affected versions upgradeable contracts using `UUPSUpgradeable` may be vulnerable to an attack affecting uninitialized implementation contracts. A fix is included in version 4.3.2 of `@openzeppelin/contracts` and `@openzeppelin/contracts-upgradeable`. For users unable to upgrade; initialize implementation contracts using `UUPSUpgradeable` by invoking the initializer function (usually called `initialize`). An example is provided [in the forum](https://forum.openzeppelin.com/t/security-advisory-initialize-uups-implementation-contracts/15301)."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-665: Improper Initialization"}]}]}, "references": {"reference_data": [{"name": "https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-5vp3-v4hc-gx76", "refsource": "CONFIRM", "url": "https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-5vp3-v4hc-gx76"}, {"name": "https://github.com/OpenZeppelin/openzeppelin-contracts/commit/024cc50df478d2e8f78539819749e94d6df60592", "refsource": "MISC", "url": "https://github.com/OpenZeppelin/openzeppelin-contracts/commit/024cc50df478d2e8f78539819749e94d6df60592"}, {"name": "https://forum.openzeppelin.com/t/security-advisory-initialize-uups-implementation-contracts/15301", "refsource": "MISC", "url": "https://forum.openzeppelin.com/t/security-advisory-initialize-uups-implementation-contracts/15301"}]}, "source": {"advisory": "GHSA-5vp3-v4hc-gx76", "discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-41264", "datePublished": "2021-11-12T17:55:11", "dateReserved": "2021-09-15T00:00:00", "dateUpdated": "2021-11-12T17:55:11", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openzeppelin:contracts:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "F34D8174-091A-492C-A3B5-C29575554D58", "versionEndExcluding": "4.3.2", "versionStartIncluding": "4.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "OpenZeppelin Contracts is a library for smart contract development. In affected versions upgradeable contracts using `UUPSUpgradeable` may be vulnerable to an attack affecting uninitialized implementation contracts. A fix is included in version 4.3.2 of `@openzeppelin/contracts` and `@openzeppelin/contracts-upgradeable`. For users unable to upgrade; initialize implementation contracts using `UUPSUpgradeable` by invoking the initializer function (usually called `initialize`). An example is provided [in the forum](https://forum.openzeppelin.com/t/security-advisory-initialize-uups-implementation-contracts/15301)."}, {"lang": "es", "value": "OpenZeppelin Contracts es una biblioteca para el desarrollo de contratos inteligentes. En las versiones afectadas, los contratos actualizables que usan \"UUPSUpgradeable\" pueden ser vulnerables a un ataque que afecta a los contratos de implementaci\u00f3n no inicializada. Se incluye una correcci\u00f3n en la versi\u00f3n 4.3.2 de \"@openzeppelin/contracts\" y \"@openzeppelin/contracts-upgradeable\". Para usuarios que no puedan actualizar; inicialice los contratos de implementaci\u00f3n usando \"UUPSUpgradeable\" al invocar la funci\u00f3n inicializadora (normalmente llamada \"initialize\"). Se proporciona un ejemplo [en el foro](https://forum.openzeppelin.com/t/security-advisory-initialize-uups-implementation-contracts/15301)"}], "id": "CVE-2021-41264", "lastModified": "2021-11-15T15:01:51.643", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Primary"}]}, "published": "2021-11-12T18:15:07.733", "references": [{"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Mitigation", "Patch", "Vendor Advisory"], "url": "https://forum.openzeppelin.com/t/security-advisory-initialize-uups-implementation-contracts/15301"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/OpenZeppelin/openzeppelin-contracts/commit/024cc50df478d2e8f78539819749e94d6df60592"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-5vp3-v4hc-gx76"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-665"}], "source": "security-advisories@github.com", "type": "Primary"}]}