Which versions of OpenZeppelin Contracts are affected by CVE-2022-35915?

OpenZeppelin Contracts versions 2.0.0 to 4.7.2 are affected.

How can I fix CVE-2022-35915 in my OpenZeppelin Contracts library?

Upgrade to version 4.7.2 of OpenZeppelin Contracts.

Where can I find more information about CVE-2022-35915?

You can find more information about CVE-2022-35915 in the OpenZeppelin Contracts security advisory or the NVD.

What is the severity rating of CVE-2022-35915?

The severity rating of CVE-2022-35915 is medium (5.3).

Vulnerability/
CVE-2022-35915

medium

5.3

CWE

400 770

1/8/2022

14/8/2022

21/7/2023

CVE-2022-35915

First published: Mon Aug 01 2022(Updated: )

### Impact The target contract of an EIP-165 `supportsInterface` query can cause unbounded gas consumption by returning a lot of data, while it is generally assumed that this operation has a bounded cost. ### Patches The issue has been fixed in v4.7.2. ### References https://github.com/OpenZeppelin/openzeppelin-contracts/pull/3587 ### For more information If you have any questions or comments about this advisory, or need assistance deploying a fix, email us at [security@openzeppelin.com](mailto:security@openzeppelin.com).

Credit: security-advisories@github.com security-advisories@github.com security-advisories@github.com

Affected Software	Affected Version	How to fix
Openzeppelin Contracts	>=2.0.0<4.7.2
Openzeppelin Contracts Upgradeable	>=3.2.0<4.7.2
Openzeppelin Openzeppelin-eth	>=2.0.0
Openzeppelin Openzeppelin-solidity	>=2.0.0

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the impact of CVE-2022-35915?
The target contract of an EIP-165 supportsInterface query can cause unbounded gas consumption by returning a lot of data.
Which versions of OpenZeppelin Contracts are affected by CVE-2022-35915?
OpenZeppelin Contracts versions 2.0.0 to 4.7.2 are affected.
How can I fix CVE-2022-35915 in my OpenZeppelin Contracts library?
Upgrade to version 4.7.2 of OpenZeppelin Contracts.
Where can I find more information about CVE-2022-35915?
You can find more information about CVE-2022-35915 in the OpenZeppelin Contracts security advisory or the NVD.
What is the severity rating of CVE-2022-35915?
The severity rating of CVE-2022-35915 is medium (5.3).

agent/author
agent/description
agent/event
agent/first-publish-date
agent/last-modified-date
agent/references
agent/remedy
agent/severity
agent/softwarecombine
agent/tags
agent/type
agent/weakness
collector/nvd-api
collector/nvd-cve
collector/nvd-index
vendor/openzeppelin
canonical/openzeppelin contracts
version/openzeppelin contracts/2.0.0
canonical/openzeppelin contracts upgradeable
version/openzeppelin contracts upgradeable/3.2.0
canonical/openzeppelin openzeppelin-eth
version/openzeppelin openzeppelin-eth/2.0.0
canonical/openzeppelin openzeppelin-solidity
version/openzeppelin openzeppelin-solidity/2.0.0

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.