CVE-2023-30542 — MEDIUM (6.8)

Q: How severe is CVE-2023-30542?

CVE-2023-30542 has been rated MEDIUM with a CVSS base score of 6.8/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2023-30542?

Check the references section above for vendor advisories and patch information. Affected products include: Openzeppelin Contracts, Openzeppelin Contracts Upgradeable.

Vulnerability Description

OpenZeppelin Contracts is a library for secure smart contract development. The proposal creation entrypoint (`propose`) in `GovernorCompatibilityBravo` allows the creation of proposals with a `signatures` array shorter than the `calldatas` array. This causes the additional elements of the latter to be ignored, and if the proposal succeeds the corresponding actions would eventually execute without any calldata. The `ProposalCreated` event correctly represents what will eventually execute, but the proposal parameters as queried through `getActions` appear to respect the original intended calldata. This issue has been patched in 4.8.3. As a workaround, ensure that all proposals that pass through governance have equal length `signatures` and `calldatas` parameters.

CVSS Score

6.8

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

LOW

Integrity

HIGH

Availability

LOW

Affected Products

Vendor	Product	Versions
Openzeppelin	Contracts	>= 4.3.0, < 4.8.3
Openzeppelin	Contracts Upgradeable	>= 4.3.0, < 4.8.3

Related Weaknesses (CWE)

CWE-20

References

https://github.com/OpenZeppelin/openzeppelin-contracts/releases/tag/v4.8.3Release Notes
https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-Vendor Advisory
https://github.com/OpenZeppelin/openzeppelin-contracts/releases/tag/v4.8.3Release Notes
https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-Vendor Advisory

FAQ

What is CVE-2023-30542?

CVE-2023-30542 is a vulnerability with a CVSS score of 6.8 (MEDIUM). OpenZeppelin Contracts is a library for secure smart contract development. The proposal creation entrypoint (`propose`) in `GovernorCompatibilityBravo` allows the creation of proposals with a `signatu...

How severe is CVE-2023-30542?

CVE-2023-30542 has been rated MEDIUM with a CVSS base score of 6.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-30542?

Check the references section above for vendor advisories and patch information. Affected products include: Openzeppelin Contracts, Openzeppelin Contracts Upgradeable.