CVE-2023-26488

2023-03-0322:15:09

CWE-682

GitHub_M

web.nvd.nist.gov

openzeppelin

contracts

erc721

nfts

security

vulnerability

overflow

patch

4.8.2

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

29.7%

JSON

OpenZeppelin Contracts is a library for secure smart contract development. The ERC721Consecutive contract designed for minting NFTs in batches does not update balances when a batch has size 1 and consists of a single token. Subsequent transfers from the receiver of that token may overflow the balance as reported by balanceOf. The issue exclusively presents with batches of size 1. The issue has been patched in 4.8.2.

Affected configurations

Nvd

Vulners

Node

openzeppelincontractsRange4.8.0–4.8.2node.js

openzeppelincontracts_upgradeableRange4.8.0–4.8.2node.js

VendorProductVersionCPE
openzeppelincontracts*cpe:2.3:a:openzeppelin:contracts:*:*:*:*:*:node.js:*:*
openzeppelincontracts_upgradeable*cpe:2.3:a:openzeppelin:contracts_upgradeable:*:*:*:*:*:node.js:*:*

Vendor	Product	Version	CPE
openzeppelin	contracts	*	cpe:2.3:a:openzeppelin:contracts::::::node.js::*
openzeppelin	contracts_upgradeable	*	cpe:2.3:a:openzeppelin:contracts_upgradeable::::::node.js::*

CNA Affected

[
  {
    "vendor": "OpenZeppelin",
    "product": "openzeppelin-contracts",
    "versions": [
      {
        "version": ">= 4.8.0, < 4.8.2",
        "status": "affected"
      }
    ]
  }
]