CVE-2022-31153
6.5
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
OpenZeppelin Contracts for Cairo is a library for contract development written in Cairo for StarkNet, a decentralized ZK Rollup. Version 0.2.0 is vulnerable to an error that renders account contracts unusable on live networks. This issue affects all accounts (vanilla and ethereum flavors) in the v0.2.0 release of OpenZeppelin Contracts for Cairo, which are not whitelisted on StarkNet mainnet. Only goerli deployments of v0.2.0 accounts are affected. This faulty behavior is not observed in StarkNet's testing framework. This bug has been patched in v0.2.1.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| OpenZeppelin | cairo-contracts | = 0.2.0 | affected |
Weaknesses
- CWE-664: CWE-664: Improper Control of a Resource Through its Lifetime
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/OpenZeppelin/cairo-contracts/security/advisories/GHSA-8mjr-jr5h-q2xr
- https://github.com/OpenZeppelin/cairo-contracts/issues/386
- https://github.com/OpenZeppelin/cairo-contracts/pull/387
- https://github.com/OpenZeppelin/cairo-contracts/commit/2cd60279c3332285d47edf9ee3888b71257acdc9
- https://github.com/OpenZeppelin/cairo-contracts/blob/release-0.2.0/src/openzeppelin/account/library.cairo#L203
- https://github.com/OpenZeppelin/cairo-contracts/releases/tag/v0.2.1
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: partial
References
- https://github.com/OpenZeppelin/cairo-contracts/security/advisories/GHSA-8mjr-jr5h-q2xr
- https://github.com/OpenZeppelin/cairo-contracts/issues/386
- https://github.com/OpenZeppelin/cairo-contracts/pull/387
- https://github.com/OpenZeppelin/cairo-contracts/commit/2cd60279c3332285d47edf9ee3888b71257acdc9
- https://github.com/OpenZeppelin/cairo-contracts/blob/release-0.2.0/src/openzeppelin/account/library.cairo#L203
- https://github.com/OpenZeppelin/cairo-contracts/releases/tag/v0.2.1
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.