Vulnerability Description
OpenZepplin is a library for smart contract development. In affected versions a vulnerability in TimelockController allowed an actor with the executor role to escalate privileges. Further details about the vulnerability will be disclosed at a later date. As a workaround revoke the executor role from accounts not strictly under the team's control. We recommend revoking all executors that are not also proposers. When applying this mitigation, ensure there is at least one proposer and executor remaining.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Openzeppelin | Contracts | >= 3.3.0, < 3.4.2 |
Related Weaknesses (CWE)
References
- https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/security/adviThird Party Advisory
- https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/CHANGELOG.md#PatchRelease NotesThird Party Advisory
- https://github.com/OpenZeppelin/openzeppelin-contracts/commit/cec4f2ef57495d8b17PatchThird Party Advisory
- https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/security/adviThird Party Advisory
- https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/CHANGELOG.md#PatchRelease NotesThird Party Advisory
- https://github.com/OpenZeppelin/openzeppelin-contracts/commit/cec4f2ef57495d8b17PatchThird Party Advisory
FAQ
What is CVE-2021-39168?
CVE-2021-39168 is a vulnerability with a CVSS score of 10.0 (CRITICAL). OpenZepplin is a library for smart contract development. In affected versions a vulnerability in TimelockController allowed an actor with the executor role to escalate privileges. Further details abou...
How severe is CVE-2021-39168?
CVE-2021-39168 has been rated CRITICAL with a CVSS base score of 10.0/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2021-39168?
Check the references section above for vendor advisories and patch information. Affected products include: Openzeppelin Contracts.