Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2024-27094

Good to know:

icon

Date: February 29, 2024

OpenZeppelin Contracts is a library for secure smart contract development. The "Base64.encode" function encodes a "bytes" input by iterating over it in chunks of 3 bytes. When this input is not a multiple of 3, the last iteration may read parts of the memory that are beyond the input buffer. The vulnerability is fixed in 5.0.2 and 4.9.6.

Language: JS

Severity Score

Related Resources (8)

https://github.com/OpenZeppelin/openzeppelin-contracts
https://nvd.nist.gov/vuln/detail/CVE-2024-27094
https://github.com/OpenZeppelin/openzeppelin-contracts/commit/a6286d0fded8771b3a645e5813e51993c490399c
https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-9vx6-7xxf-x967
https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/commit/2d081f24cac1a867f6f73d512f2022e1fa987854
https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/commit/723f8cab09cdae1aca9ec9cc1cfa040c2d4b06c1
https://github.com/OpenZeppelin/openzeppelin-contracts/commit/92224533b1263772b0774eec3134e132a3d7b2a6
https://www.mend.io/vulnerability-database/CVE-2024-27094

Severity Score

Weakness Type (CWE)

Out-of-bounds Read

CWE-125

Top Fix

icon

Upgrade Version

Upgrade to version @openzeppelin/contracts - 4.9.6;@openzeppelin/contracts - 5.0.2;@openzeppelin/contracts-upgradeable - 4.9.6;@openzeppelin/contracts-upgradeable - 5.0.2

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): HIGH
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): NONE
Integrity (I): LOW
Availability (A): HIGH

Do you need more information?

Contact Us