CVE-2024-27094 MEDIUM

CVE-2024-27094: OpenZeppelin Contracts base64 encoding may read from potentially dirty memory

Vendor Openzeppelin
Product openzeppelin-contracts
Weakness CWE-125
Published February 29, 2024
Last update August 2, 2024

CVSS base score

6.5/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H

What the vulnerability does

01Description

OpenZeppelin Contracts is a library for secure smart contract development. The `Base64.encode` function encodes a `bytes` input by iterating over it in chunks of 3 bytes. When this input is not a multiple of 3, the last iteration may read parts of the memory that are beyond the input buffer. The vulnerability is fixed in 5.0.2 and 4.9.6.

Key dates

02Disclosure timeline

February 29, 2024 CVE published
August 2, 2024 Record updated