Vulnerability Details : CVE-2023-30541

OpenZeppelin Contracts is a library for secure smart contract development. A function in the implementation contract may be inaccessible if its selector clashes with one of the proxy's own selectors. Specifically, if the clashing function has a different signature with incompatible ABI encoding, the proxy could revert while attempting to decode the arguments from calldata. The probability of an accidental clash is negligible, but one could be caused deliberately and could cause a reduction in availability. The issue has been fixed in version 4.8.3. As a workaround if a function appears to be inaccessible for this reason, it may be possible to craft the calldata such that ABI decoding does not fail at the proxy and the function is properly proxied through.
Published 2023-04-17 22:15:10
Updated 2023-04-27 18:38:47
Source GitHub, Inc.
View at NVD,   CVE.org

Products affected by CVE-2023-30541

Exploit prediction scoring system (EPSS) score for CVE-2023-30541

EPSS FAQ
0.11%
Probability of exploitation activity in the next 30 days EPSS Score History
~ 30 %
Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-30541

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source First Seen
5.3
 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
3.9
1.4
 NIST
5.3
 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
3.9
1.4
 GitHub, Inc.

CWE ids for CVE-2023-30541

  • Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.
    Assigned by:
    • nvd@nist.gov (Primary)
    • security-advisories@github.com (Secondary)

References for CVE-2023-30541

Jump to
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!
Accept Close