CVE-2024-45304

Sept. 19, 2024, 5:26 p.m.

6.5
Medium

Description

Cairo-Contracts are OpenZeppelin Contracts written in Cairo for Starknet, a decentralized ZK Rollup. This vulnerability can lead to unauthorized ownership transfer, contrary to the original owner's intention of leaving the contract without an owner. It introduces a security risk where an unintended party (pending owner) can gain control of the contract after the original owner has renounced ownership. This could also be used by a malicious owner to simulate leaving a contract without an owner, to later regain ownership by previously having proposed himself as a pending owner. This issue has been addressed in release version 0.16.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.

Product(s) Impacted

Vendor Product Versions
Openzeppelin
  • Contracts
  • *

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-670
Always-Incorrect Control Flow Implementation
The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a openzeppelin contracts / / / / / cairo / /

References

https://github.com/OpenZeppelin/cairo-contracts/commit/ef87d7847980e0cf83f4b7f3ff23e6590fb643ec
https://github.com/OpenZeppelin/cairo-contracts/releases/tag/v0.16.0
https://github.com/OpenZeppelin/cairo-contracts/security/advisories/GHSA-w2px-25pm-2cf9

Tags

security-advisories@github.com
CWE-670
2024-08-31
CVE-2024-45304

CVSS Score

6.5 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: LOW
  • Scope: UNCHANGED
  • Confidentiality Impact: NONE
  • Integrity Impact: HIGH
  • Availability Impact: NONE

    • CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

    View Vector String

Timeline

Published: Aug. 31, 2024, 12:15 a.m.
Last Modified: Sept. 19, 2024, 5:26 p.m.

Status : Analyzed

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.