TimelockController vulnerability in OpenZeppelin Contracts
CVE-2021-39167

10CRITICAL

Key Information:

Vendor

Openzeppelin

Status
Openzeppelin-contracts
Vendor
CVE Published:
27 August 2021

What is CVE-2021-39167?

OpenZepplin is a library for smart contract development. In affected versions a vulnerability in TimelockController allowed an actor with the executor role to escalate privileges. Further details about the vulnerability will be disclosed at a later date. As a workaround revoke the executor role from accounts not strictly under the team's control. We recommend revoking all executors that are not also proposers. When applying this mitigation, ensure there is at least one proposer and executor remaining.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

openzeppelin-contracts >=4.0.0, < 4.3.1 < 4.0.0, 4.3.1

openzeppelin-contracts >=3.3.0, < 3.4.2 < 3.3.0, 3.4.2

openzeppelin-contracts >= 3.3.0-solc-0.7, < 3.4.2-solc-0.7 < 3.3.0-solc-0.7, 3.4.2-solc-0.7

References

https://github.com/OpenZeppelin/openzeppelin-contracts/co...
x_refsource_MISC
https://github.com/OpenZeppelin/openzeppelin-contracts/bl...
x_refsource_MISC
https://github.com/OpenZeppelin/openzeppelin-contracts/se...
x_refsource_CONFIRM

CVSS V3.1

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.