CVE-2024-27094

EUVD-2024-0602
OpenZeppelin Contracts is a library for secure smart contract development. The `Base64.encode` function encodes a `bytes` input by iterating over it in chunks of 3 bytes. When this input is not a multiple of 3, the last iteration may read parts of the memory that are beyond the input buffer. The vulnerability is fixed in 5.0.2 and 4.9.6.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.5 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H
GitHub_MCNA
6.5 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 67%
Affected Products (NVD)
VendorProductVersion
openzeppelincontracts
4.5.0 ≤
𝑥
< 4.9.6
openzeppelincontracts
5.0.0 ≤
𝑥
< 5.0.2
openzeppelincontracts_upgradeable
4.5.0 ≤
𝑥
≤ 4.9.6
openzeppelincontracts_upgradeable
5.0.0 ≤
𝑥
< 5.0.2
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/commit/2d081f24cac1a867f6f73d512f2022e1fa987854
https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/commit/723f8cab09cdae1aca9ec9cc1cfa040c2d4b06c1
https://github.com/OpenZeppelin/openzeppelin-contracts/commit/92224533b1263772b0774eec3134e132a3d7b2a6
https://github.com/OpenZeppelin/openzeppelin-contracts/commit/a6286d0fded8771b3a645e5813e51993c490399c
https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-9vx6-7xxf-x967
https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/commit/2d081f24cac1a867f6f73d512f2022e1fa987854
https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/commit/723f8cab09cdae1aca9ec9cc1cfa040c2d4b06c1
https://github.com/OpenZeppelin/openzeppelin-contracts/commit/92224533b1263772b0774eec3134e132a3d7b2a6
https://github.com/OpenZeppelin/openzeppelin-contracts/commit/a6286d0fded8771b3a645e5813e51993c490399c
https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-9vx6-7xxf-x967