- Description
- OpenZeppelin Contracts is a library for secure smart contract development. The `Base64.encode` function encodes a `bytes` input by iterating over it in chunks of 3 bytes. When this input is not a multiple of 3, the last iteration may read parts of the memory that are beyond the input buffer. The vulnerability is fixed in 5.0.2 and 4.9.6.
- Source
- security-advisories@github.com
- NVD status
- Analyzed
- Products
- contracts, contracts_upgradeable
CVSS 3.1
- Type
- Primary
- Base score
- 7.4
- Impact score
- 5.2
- Exploitability score
- 2.2
- Vector string
- CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H
- Severity
- HIGH
- security-advisories@github.com
- CWE-125
- Hype score
- Not currently trending
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openzeppelin:contracts:*:*:*:*:*:node.js:*:*",
"vulnerable": true,
"matchCriteriaId": "AFE4954A-1F77-4EAD-85B6-4FA68BA03719",
"versionEndExcluding": "4.9.6",
"versionStartIncluding": "4.5.0"
},
{
"criteria": "cpe:2.3:a:openzeppelin:contracts:*:*:*:*:*:node.js:*:*",
"vulnerable": true,
"matchCriteriaId": "2193380A-ABB6-42C3-8AE6-6A13D7B007E9",
"versionEndExcluding": "5.0.2",
"versionStartIncluding": "5.0.0"
},
{
"criteria": "cpe:2.3:a:openzeppelin:contracts_upgradeable:*:*:*:*:*:node.js:*:*",
"vulnerable": true,
"matchCriteriaId": "D1D3D69D-791D-4AA2-B751-A6300854BCCB",
"versionEndIncluding": "4.9.6",
"versionStartIncluding": "4.5.0"
},
{
"criteria": "cpe:2.3:a:openzeppelin:contracts_upgradeable:*:*:*:*:*:node.js:*:*",
"vulnerable": true,
"matchCriteriaId": "972AD148-5CC7-48ED-AA55-CBB1149BAF23",
"versionEndExcluding": "5.0.2",
"versionStartIncluding": "5.0.0"
}
],
"operator": "OR"
}
]
}
]