Vulnerability Details : CVE-2021-41264
OpenZeppelin Contracts is a library for smart contract development. In affected versions upgradeable contracts using `UUPSUpgradeable` may be vulnerable to an attack affecting uninitialized implementation contracts. A fix is included in version 4.3.2 of `@openzeppelin/contracts` and `@openzeppelin/contracts-upgradeable`. For users unable to upgrade; initialize implementation contracts using `UUPSUpgradeable` by invoking the initializer function (usually called `initialize`). An example is provided [in the forum](https://forum.openzeppelin.com/t/security-advisory-initialize-uups-implementation-contracts/15301).
Products affected by CVE-2021-41264
- cpe:2.3:a:openzeppelin:contracts:*:*:*:*:*:node.js:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-41264
0.25%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 64 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-41264
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
GitHub, Inc. |
CWE ids for CVE-2021-41264
-
The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.Assigned by: security-advisories@github.com (Primary)
References for CVE-2021-41264
-
https://forum.openzeppelin.com/t/security-advisory-initialize-uups-implementation-contracts/15301
Security advisory: Initialize UUPS implementation contracts - General / Announcements - OpenZeppelin CommunityIssue Tracking;Mitigation;Patch;Vendor Advisory
-
https://github.com/OpenZeppelin/openzeppelin-contracts/commit/024cc50df478d2e8f78539819749e94d6df60592
Restrict upgrade to proxy context in UUPSUpgradeable · OpenZeppelin/openzeppelin-contracts@024cc50 · GitHubPatch;Third Party Advisory
-
https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-5vp3-v4hc-gx76
UUPSUpgradeable vulnerability in OpenZeppelin Contracts · Advisory · OpenZeppelin/openzeppelin-contracts · GitHubThird Party Advisory
Jump to