CVE-2023-34234
MEDIUMOpenzeppelin Contracts < 4.9.1 - Missing Authorization
Title source: ruleDescription
OpenZeppelin Contracts is a library for smart contract development. By frontrunning the creation of a proposal, an attacker can become the proposer and gain the ability to cancel it. The attacker can do this repeatedly to try to prevent a proposal from being proposed at all. This impacts the `Governor` contract in v4.9.0 only, and the `GovernorCompatibilityBravo` contract since v4.3.0. This problem has been patched in 4.9.1 by introducing opt-in frontrunning protection. Users are advised to upgrade. Users unable to upgrade may submit the proposal creation transaction to an endpoint with frontrunning protection as a workaround.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-5h3x-9wvq-w4m2
Scores
CVSS v3
5.3
EPSS
0.0011
EPSS Percentile
28.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-862
Status
published
Products (4)
openzeppelin/contracts
4.3.0 - 4.9.1
openzeppelin/contracts
4.3.0 - 4.9.1npm
openzeppelin/contracts-upgradeable
4.3.0 - 4.9.1npm
openzeppelin/contracts_upgradeable
4.3.0 - 4.9.1
Published
Jun 07, 2023
Tracked Since
Feb 18, 2026