CVE-2023-30542
CVSS V2 None
CVSS V3 None
Description
OpenZeppelin Contracts is a library for secure smart contract development. The proposal creation entrypoint (`propose`) in `GovernorCompatibilityBravo` allows the creation of proposals with a `signatures` array shorter than the `calldatas` array. This causes the additional elements of the latter to be ignored, and if the proposal succeeds the corresponding actions would eventually execute without any calldata. The `ProposalCreated` event correctly represents what will eventually execute, but the proposal parameters as queried through `getActions` appear to respect the original intended calldata. This issue has been patched in 4.8.3. As a workaround, ensure that all proposals that pass through governance have equal length `signatures` and `calldatas` parameters.
Overview
- CVE ID
- CVE-2023-30542
- Assigner
- security-advisories@github.com
- Vulnerability Status
- Undergoing Analysis
- Published Version
- 2023-04-16T08:15:07
- Last Modified Date
- 2023-04-17T13:12:43
Weakness Enumerations
Sources
Source Name | Source URL |
---|---|
NIST | https://nvd.nist.gov/vuln/detail/CVE-2023-30542 |
MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30542 |
History
Created | Old Value | New Value | Data Type | Notes |
---|---|---|---|---|
2023-04-17 04:49:20 | Added to TrackCVE | |||
2023-04-17 04:49:22 | Weakness Enumeration | new | ||
2023-04-17 14:02:00 | 2023-04-17T13:12:43 | CVE Modified Date | updated | |
2023-04-17 14:02:00 | Received | Awaiting Analysis | Vulnerability Status | updated |
2023-04-24 11:00:56 | Awaiting Analysis | Undergoing Analysis | Vulnerability Status | updated |