CVE-2021-39167 CRITICAL

CVE-2021-39167: TimelockController vulnerability in OpenZeppelin Contracts

Vendor Openzeppelin

Product openzeppelin-contracts

Weakness CWE-269

Published August 26, 2021

Last update August 4, 2024

View on NVD All CVEs

CVSS base score

10.0/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

OpenZepplin is a library for smart contract development. In affected versions a vulnerability in TimelockController allowed an actor with the executor role to escalate privileges. Further details about the vulnerability will be disclosed at a later date. As a workaround revoke the executor role from accounts not strictly under the team's control. We recommend revoking all executors that are not also proposers. When applying this mitigation, ensure there is at least one proposer and executor remaining.

Key dates

02Disclosure timeline

August 26, 2021 CVE published

August 4, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2021-39167 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/269.html

Related vulnerabilities

Identifiers

CVE CVE-2021-39167

CWE CWE-269

CVSS 10.0 / CRITICAL

Affected versions

Vendor Openzeppelin

Product openzeppelin-contracts

Affected >=4.0.0, < 4.3.1

Vendor Openzeppelin

Product openzeppelin-contracts

Affected >=3.3.0, < 3.4.2

Vendor Openzeppelin

Product openzeppelin-contracts

Affected >= 3.3.0-solc-0.7, < 3.4.2-solc-0.7

CVE-2021-39167: TimelockController vulnerability in OpenZeppelin Contracts

01Description

02Disclosure timeline

03References

04Related CVE