Home > Vulnerability Database > CVE-2022-31172

Mend.io Vulnerability Database

CVE-2022-31172

Good to know:

Date: July 21, 2022

OpenZeppelin Contracts is a library for smart contract development. Versions 4.1.0 until 4.7.1 are vulnerable to the SignatureChecker reverting. "SignatureChecker.isValidSignatureNow" is not expected to revert. However, an incorrect assumption about Solidity 0.8's "abi.decode" allows some cases to revert, given a target contract that doesn't implement EIP-1271 as expected. The contracts that may be affected are those that use "SignatureChecker" to check the validity of a signature and handle invalid signatures in a way other than reverting. The issue was patched in version 4.7.1.

Language: JS

Severity Score

7.5

Related Resources (4)

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-31172

Url: https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-4g63-c64m-25w9

Url: https://github.com/OpenZeppelin/openzeppelin-contracts/pull/3552

Url: https://www.mend.io/vulnerability-database/CVE-2022-31172

Severity Score

7.5

Weakness Type (CWE)

Improper Verification of Cryptographic Signature

CWE-347

Improper Input Validation

CWE-20

Top Fix

Upgrade Version

Upgrade to version @openzeppelin/contracts-upgradeable - 4.7.1;@openzeppelin/contracts - 4.7.1

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2022-31172

Good to know:

Date: July 21, 2022

Language: JS

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?