Vulnerability Description
OpenZeppelin Contracts is a library for secure smart contract development. Starting in version 4.0.0 and prior to version 4.9.3, contracts using `ERC2771Context` along with a custom trusted forwarder may see `_msgSender` return `address(0)` in calls that originate from the forwarder with calldata shorter than 20 bytes. This combination of circumstances does not appear to be common, in particular it is not the case for `MinimalForwarder` from OpenZeppelin Contracts, or any deployed forwarder the team is aware of, given that the signer address is appended to all calls that originate from these forwarders. The problem has been patched in v4.9.3.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Openzeppelin | Openzeppelin Contracts | >= 4.0.0, < 4.9.3 |
| Openzeppelin | Openzeppelin Contracts-Upgradable | >= 4.0.0, < 4.9.3 |
Related Weaknesses (CWE)
References
- https://github.com/OpenZeppelin/openzeppelin-contracts/commit/9445f96223041abf2bPatch
- https://github.com/OpenZeppelin/openzeppelin-contracts/commit/e4435eed757d430943Patch
- https://github.com/OpenZeppelin/openzeppelin-contracts/pull/4481PatchVendor Advisory
- https://github.com/OpenZeppelin/openzeppelin-contracts/pull/4484PatchVendor Advisory
- https://github.com/OpenZeppelin/openzeppelin-contracts/releases/tag/v4.9.3Release Notes
- https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-Vendor Advisory
- https://github.com/OpenZeppelin/openzeppelin-contracts/commit/9445f96223041abf2bPatch
- https://github.com/OpenZeppelin/openzeppelin-contracts/commit/e4435eed757d430943Patch
- https://github.com/OpenZeppelin/openzeppelin-contracts/pull/4481PatchVendor Advisory
- https://github.com/OpenZeppelin/openzeppelin-contracts/pull/4484PatchVendor Advisory
- https://github.com/OpenZeppelin/openzeppelin-contracts/releases/tag/v4.9.3Release Notes
- https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-Vendor Advisory
FAQ
What is CVE-2023-40014?
CVE-2023-40014 is a vulnerability with a CVSS score of 5.3 (MEDIUM). OpenZeppelin Contracts is a library for secure smart contract development. Starting in version 4.0.0 and prior to version 4.9.3, contracts using `ERC2771Context` along with a custom trusted forwarder ...
How severe is CVE-2023-40014?
CVE-2023-40014 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-40014?
Check the references section above for vendor advisories and patch information. Affected products include: Openzeppelin Openzeppelin Contracts, Openzeppelin Openzeppelin Contracts-Upgradable.