CVE-2024-27094

Summary

OpenZeppelin Contracts is a library for secure smart contract development. The Base64.encode function encodes a bytes input by iterating over it in chunks of 3 bytes. When this input is not a multiple of 3, the last iteration may read parts of the memory that are beyond the input buffer. The vulnerability is fixed in 5.0.2 and 4.9.6.

Affected Software

VendorProductVersion RangeStatus
OpenZeppelinopenzeppelin-contracts>= 4.5.0, < 4.9.6affected
OpenZeppelinopenzeppelin-contracts>= 5.0.0-rc.0, < 5.0.2affected

Weaknesses

  • CWE-125: CWE-125: Out-of-bounds Read

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References