Vulnerability Description
OpenZeppelin Contracts is a library for smart contract development. A merge issue when porting the 5.0.1 patch to the 4.9 branch caused a line duplication. In the version of `Multicall.sol` released in `@openzeppelin/[email protected]` and `@openzeppelin/[email protected]`, all subcalls are executed twice. Concretely, this exposes a user to unintentionally duplicate operations like asset transfers. The duplicated delegatecall was removed in version 4.9.5. The 4.9.4 version is marked as deprecated. Users are advised to upgrade. There are no known workarounds for this issue.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Openzeppelin | Contracts | 4.9.4 |
| Openzeppelin | Contracts Upgradeable | 4.9.4 |
Related Weaknesses (CWE)
References
- https://github.com/OpenZeppelin/openzeppelin-contracts/commit/88ac712e06832bce73Patch
- https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-Vendor Advisory
- https://github.com/OpenZeppelin/openzeppelin-contracts/commit/88ac712e06832bce73Patch
- https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-Vendor Advisory
FAQ
What is CVE-2023-49798?
CVE-2023-49798 is a vulnerability with a CVSS score of 5.9 (MEDIUM). OpenZeppelin Contracts is a library for smart contract development. A merge issue when porting the 5.0.1 patch to the 4.9 branch caused a line duplication. In the version of `Multicall.sol` released i...
How severe is CVE-2023-49798?
CVE-2023-49798 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-49798?
Check the references section above for vendor advisories and patch information. Affected products include: Openzeppelin Contracts, Openzeppelin Contracts Upgradeable.