CVE-2021-41264

Summary

OpenZeppelin Contracts is a library for smart contract development. In affected versions upgradeable contracts using UUPSUpgradeable may be vulnerable to an attack affecting uninitialized implementation contracts. A fix is included in version 4.3.2 of @openzeppelin/contracts and @openzeppelin/contracts-upgradeable. For users unable to upgrade; initialize implementation contracts using UUPSUpgradeable by invoking the initializer function (usually called initialize). An example is provided in the forum.

Affected Software

VendorProductVersion RangeStatus
OpenZeppelinopenzeppelin-contracts>= 4.1.0 < 4.3.2affected

Weaknesses

  • CWE-665: CWE-665: Improper Initialization

ADP Enrichment

CVE Program Container

Additional References

References