CVE-2021-41264 - Vulnerability Details - OpenCVE

OpenZeppelin Contracts is a library for smart contract development. In affected versions upgradeable contracts using `UUPSUpgradeable` may be vulnerable to an attack affecting uninitialized implementation contracts. A fix is included in version 4.3.2 of `@openzeppelin/contracts` and `@openzeppelin/contracts-upgradeable`. For users unable to upgrade; initialize implementation contracts using `UUPSUpgradeable` by invoking the initializer function (usually called `initialize`). An example is provided [in the forum](https://forum.openzeppelin.com/t/security-advisory-initialize-uups-implementation-contracts/15301).

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Openzeppelin	Contracts

Configuration 1 [-]

cpe:2.3:a:openzeppelin:contracts:*:*:*:*:*:node.js:*:*

No data.

References

Link	Providers
https://forum.openzeppelin.com/t/security-advisory-initialize-uups-implementation-contracts/15301
https://github.com/OpenZeppelin/openzeppelin-contracts/commit/024cc50df478d2e8f78539819749e94d6df60592
https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-5vp3-v4hc-gx76

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2021-11-12T17:55:11

Updated: 2024-08-04T03:08:31.576Z

Reserved: 2021-09-15T00:00:00

Link: CVE-2021-41264

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-11-12T18:15:07.733

Modified: 2024-11-21T06:25:55.170

Link: CVE-2021-41264

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "openzeppelin-contracts", "vendor": "OpenZeppelin", "versions": [{"status": "affected", "version": ">= 4.1.0 < 4.3.2"}]}], "descriptions": [{"lang": "en", "value": "OpenZeppelin Contracts is a library for smart contract development. In affected versions upgradeable contracts using `UUPSUpgradeable` may be vulnerable to an attack affecting uninitialized implementation contracts. A fix is included in version 4.3.2 of `@openzeppelin/contracts` and `@openzeppelin/contracts-upgradeable`. For users unable to upgrade; initialize implementation contracts using `UUPSUpgradeable` by invoking the initializer function (usually called `initialize`). An example is provided [in the forum](https://forum.openzeppelin.com/t/security-advisory-initialize-uups-implementation-contracts/15301)."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-665", "description": "CWE-665: Improper Initialization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-11-12T17:55:11", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-5vp3-v4hc-gx76"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/OpenZeppelin/openzeppelin-contracts/commit/024cc50df478d2e8f78539819749e94d6df60592"}, {"tags": ["x_refsource_MISC"], "url": "https://forum.openzeppelin.com/t/security-advisory-initialize-uups-implementation-contracts/15301"}], "source": {"advisory": "GHSA-5vp3-v4hc-gx76", "discovery": "UNKNOWN"}, "title": "UUPSUpgradeable vulnerability in OpenZeppelin Contracts", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-41264", "STATE": "PUBLIC", "TITLE": "UUPSUpgradeable vulnerability in OpenZeppelin Contracts"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "openzeppelin-contracts", "version": {"version_data": [{"version_value": ">= 4.1.0 < 4.3.2"}]}}]}, "vendor_name": "OpenZeppelin"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "OpenZeppelin Contracts is a library for smart contract development. In affected versions upgradeable contracts using `UUPSUpgradeable` may be vulnerable to an attack affecting uninitialized implementation contracts. A fix is included in version 4.3.2 of `@openzeppelin/contracts` and `@openzeppelin/contracts-upgradeable`. For users unable to upgrade; initialize implementation contracts using `UUPSUpgradeable` by invoking the initializer function (usually called `initialize`). An example is provided [in the forum](https://forum.openzeppelin.com/t/security-advisory-initialize-uups-implementation-contracts/15301)."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-665: Improper Initialization"}]}]}, "references": {"reference_data": [{"name": "https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-5vp3-v4hc-gx76", "refsource": "CONFIRM", "url": "https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-5vp3-v4hc-gx76"}, {"name": "https://github.com/OpenZeppelin/openzeppelin-contracts/commit/024cc50df478d2e8f78539819749e94d6df60592", "refsource": "MISC", "url": "https://github.com/OpenZeppelin/openzeppelin-contracts/commit/024cc50df478d2e8f78539819749e94d6df60592"}, {"name": "https://forum.openzeppelin.com/t/security-advisory-initialize-uups-implementation-contracts/15301", "refsource": "MISC", "url": "https://forum.openzeppelin.com/t/security-advisory-initialize-uups-implementation-contracts/15301"}]}, "source": {"advisory": "GHSA-5vp3-v4hc-gx76", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T03:08:31.576Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-5vp3-v4hc-gx76"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/OpenZeppelin/openzeppelin-contracts/commit/024cc50df478d2e8f78539819749e94d6df60592"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://forum.openzeppelin.com/t/security-advisory-initialize-uups-implementation-contracts/15301"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-41264", "datePublished": "2021-11-12T17:55:11", "dateReserved": "2021-09-15T00:00:00", "dateUpdated": "2024-08-04T03:08:31.576Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openzeppelin:contracts:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "F34D8174-091A-492C-A3B5-C29575554D58", "versionEndExcluding": "4.3.2", "versionStartIncluding": "4.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "OpenZeppelin Contracts is a library for smart contract development. In affected versions upgradeable contracts using `UUPSUpgradeable` may be vulnerable to an attack affecting uninitialized implementation contracts. A fix is included in version 4.3.2 of `@openzeppelin/contracts` and `@openzeppelin/contracts-upgradeable`. For users unable to upgrade; initialize implementation contracts using `UUPSUpgradeable` by invoking the initializer function (usually called `initialize`). An example is provided [in the forum](https://forum.openzeppelin.com/t/security-advisory-initialize-uups-implementation-contracts/15301)."}, {"lang": "es", "value": "OpenZeppelin Contracts es una biblioteca para el desarrollo de contratos inteligentes. En las versiones afectadas, los contratos actualizables que usan \"UUPSUpgradeable\" pueden ser vulnerables a un ataque que afecta a los contratos de implementaci\u00f3n no inicializada. Se incluye una correcci\u00f3n en la versi\u00f3n 4.3.2 de \"@openzeppelin/contracts\" y \"@openzeppelin/contracts-upgradeable\". Para usuarios que no puedan actualizar; inicialice los contratos de implementaci\u00f3n usando \"UUPSUpgradeable\" al invocar la funci\u00f3n inicializadora (normalmente llamada \"initialize\"). Se proporciona un ejemplo [en el foro](https://forum.openzeppelin.com/t/security-advisory-initialize-uups-implementation-contracts/15301)"}], "id": "CVE-2021-41264", "lastModified": "2024-11-21T06:25:55.170", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2021-11-12T18:15:07.733", "references": [{"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Mitigation", "Patch", "Vendor Advisory"], "url": "https://forum.openzeppelin.com/t/security-advisory-initialize-uups-implementation-contracts/15301"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/OpenZeppelin/openzeppelin-contracts/commit/024cc50df478d2e8f78539819749e94d6df60592"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-5vp3-v4hc-gx76"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Mitigation", "Patch", "Vendor Advisory"], "url": "https://forum.openzeppelin.com/t/security-advisory-initialize-uups-implementation-contracts/15301"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/OpenZeppelin/openzeppelin-contracts/commit/024cc50df478d2e8f78539819749e94d6df60592"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-5vp3-v4hc-gx76"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-665"}], "source": "security-advisories@github.com", "type": "Secondary"}]}