Vulnerability Details CVE-2024-27094
OpenZeppelin Contracts is a library for secure smart contract development. The `Base64.encode` function encodes a `bytes` input by iterating over it in chunks of 3 bytes. When this input is not a multiple of 3, the last iteration may read parts of the memory that are beyond the input buffer. The vulnerability is fixed in 5.0.2 and 4.9.6.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.006
EPSS Ranking 67.6%
CVSS Severity
CVSS v3 Score 6.5
References
- https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/commit/2d081f24cac1a867f6f73d512f2022e1fa987854
- https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/commit/723f8cab09cdae1aca9ec9cc1cfa040c2d4b06c1
- https://github.com/OpenZeppelin/openzeppelin-contracts/commit/92224533b1263772b0774eec3134e132a3d7b2a6
- https://github.com/OpenZeppelin/openzeppelin-contracts/commit/a6286d0fded8771b3a645e5813e51993c490399c
- https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-9vx6-7xxf-x967
- https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/commit/2d081f24cac1a867f6f73d512f2022e1fa987854
- https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/commit/723f8cab09cdae1aca9ec9cc1cfa040c2d4b06c1
- https://github.com/OpenZeppelin/openzeppelin-contracts/commit/92224533b1263772b0774eec3134e132a3d7b2a6
- https://github.com/OpenZeppelin/openzeppelin-contracts/commit/a6286d0fded8771b3a645e5813e51993c490399c
- https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-9vx6-7xxf-x967
Products affected by CVE-2024-27094
-
cpe:2.3:a:openzeppelin:contracts:4.5.0
-
cpe:2.3:a:openzeppelin:contracts:4.6.0
-
cpe:2.3:a:openzeppelin:contracts:4.7.0
-
cpe:2.3:a:openzeppelin:contracts:4.7.1
-
cpe:2.3:a:openzeppelin:contracts:4.7.2
-
cpe:2.3:a:openzeppelin:contracts:4.7.3
-
cpe:2.3:a:openzeppelin:contracts:4.8.0
-
cpe:2.3:a:openzeppelin:contracts:4.8.1
-
cpe:2.3:a:openzeppelin:contracts:4.8.2
-
cpe:2.3:a:openzeppelin:contracts:4.8.3
-
cpe:2.3:a:openzeppelin:contracts:4.9.0
-
cpe:2.3:a:openzeppelin:contracts:4.9.1
-
cpe:2.3:a:openzeppelin:contracts:4.9.2
-
cpe:2.3:a:openzeppelin:contracts:4.9.3
-
cpe:2.3:a:openzeppelin:contracts:4.9.4
-
cpe:2.3:a:openzeppelin:contracts:4.9.5
-
cpe:2.3:a:openzeppelin:contracts:5.0.0
-
cpe:2.3:a:openzeppelin:contracts:5.0.1
-
cpe:2.3:a:openzeppelin:contracts_upgradeable:4.5.0
-
cpe:2.3:a:openzeppelin:contracts_upgradeable:4.5.1
-
cpe:2.3:a:openzeppelin:contracts_upgradeable:4.5.2
-
cpe:2.3:a:openzeppelin:contracts_upgradeable:4.6.0
-
cpe:2.3:a:openzeppelin:contracts_upgradeable:4.7.0
-
cpe:2.3:a:openzeppelin:contracts_upgradeable:4.7.1
-
cpe:2.3:a:openzeppelin:contracts_upgradeable:4.7.2
-
cpe:2.3:a:openzeppelin:contracts_upgradeable:4.7.3
-
cpe:2.3:a:openzeppelin:contracts_upgradeable:4.8.0
-
cpe:2.3:a:openzeppelin:contracts_upgradeable:4.8.1
-
cpe:2.3:a:openzeppelin:contracts_upgradeable:4.8.2
-
cpe:2.3:a:openzeppelin:contracts_upgradeable:4.8.3
-
cpe:2.3:a:openzeppelin:contracts_upgradeable:4.9.0
-
cpe:2.3:a:openzeppelin:contracts_upgradeable:4.9.1
-
cpe:2.3:a:openzeppelin:contracts_upgradeable:4.9.2
-
cpe:2.3:a:openzeppelin:contracts_upgradeable:4.9.3
-
cpe:2.3:a:openzeppelin:contracts_upgradeable:4.9.4
-
cpe:2.3:a:openzeppelin:contracts_upgradeable:4.9.5
-
cpe:2.3:a:openzeppelin:contracts_upgradeable:5.0.0
-
cpe:2.3:a:openzeppelin:contracts_upgradeable:5.0.1