CVE-2022-39384

Name of the Vulnerable Software and Affected Versions: OpenZeppelin Contracts versions 3.2.0 through 4.4.0

Description: The issue concerns initializer functions that are invoked separate from contract creation, such as minimal proxies, which may be reentered if they make an untrusted non-view external call. Normally, once an initializer has finished running, it can never be re-executed. However, an exception for multiple inheritance made reentrancy possible, breaking the expectation of a single execution. The impact is believed to be minor since upgradeable proxies are commonly initialized with contract creation, where reentrancy is not feasible.

Recommendations: For versions 3.2.0 through 4.4.0, upgrade to version 4.4.1 to resolve the issue. As a temporary workaround, avoid untrusted external calls during initialization.