Vulnerability Details : CVE-2021-39168
OpenZepplin is a library for smart contract development. In affected versions a vulnerability in TimelockController allowed an actor with the executor role to escalate privileges. Further details about the vulnerability will be disclosed at a later date. As a workaround revoke the executor role from accounts not strictly under the team's control. We recommend revoking all executors that are not also proposers. When applying this mitigation, ensure there is at least one proposer and executor remaining.
Products affected by CVE-2021-39168
- cpe:2.3:a:openzeppelin:contracts:*:*:*:*:*:node.js:*:*
- cpe:2.3:a:openzeppelin:contracts:*:*:*:*:*:node.js:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-39168
0.25%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 64 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-39168
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST | |
10.0
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
3.9
|
6.0
|
GitHub, Inc. |
CWE ids for CVE-2021-39168
-
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.Assigned by:
- nvd@nist.gov (Primary)
- security-advisories@github.com (Secondary)
References for CVE-2021-39168
-
https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/security/advisories/GHSA-vrw4-w73r-6mm8
TimelockController vulnerability in OpenZeppelin Contracts · Advisory · OpenZeppelin/openzeppelin-contracts-upgradeable · GitHubThird Party Advisory
-
https://github.com/OpenZeppelin/openzeppelin-contracts/commit/cec4f2ef57495d8b1742d62846da212515d99dd5
Add additional isOperationReady check in TimelockController · OpenZeppelin/openzeppelin-contracts@cec4f2e · GitHubPatch;Third Party Advisory
-
https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/CHANGELOG.md#431
openzeppelin-contracts/CHANGELOG.md at master · OpenZeppelin/openzeppelin-contracts · GitHubPatch;Release Notes;Third Party Advisory
Jump to