CVE-2022-35916

MEDIUM

OpenZeppelin Contracts <4.7.2 - Info Disclosure

Title source: llm

Description

OpenZeppelin Contracts is a library for secure smart contract development. Contracts using the cross chain utilities for Arbitrum L2, `CrossChainEnabledArbitrumL2` or `LibArbitrumL2`, will classify direct interactions of externally owned accounts (EOAs) as cross chain calls, even though they are not started on L1. This issue has been patched in v4.7.2. Users are advised to upgrade. There are no known workarounds for this issue.

References (2)

[Third Party Advisory] https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-9j3m-g383-29qr

[Patch, Third Party Advisory] https://github.com/OpenZeppelin/openzeppelin-contracts/pull/3578

Scores

CVSS v3 5.3

EPSS 0.0024

EPSS Percentile 47.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-669

Status published

Products (4)

openzeppelin/contracts 4.6.0 - 4.7.2

openzeppelin/contracts 4.6.0 - 4.7.2npm

openzeppelin/contracts-upgradeable 4.6.0 - 4.7.2npm

openzeppelin/contracts_upgradeable 4.6.0 - 4.7.2

Published Aug 01, 2022

Tracked Since Feb 18, 2026