CVE-2022-31172 (GCVE-0-2022-31172)

Vulnerability from cvelistv5 – Published: 2022-07-21 13:55 – Updated: 2025-04-23 17:57
VLAI?
Summary
OpenZeppelin Contracts is a library for smart contract development. Versions 4.1.0 until 4.7.1 are vulnerable to the SignatureChecker reverting. `SignatureChecker.isValidSignatureNow` is not expected to revert. However, an incorrect assumption about Solidity 0.8's `abi.decode` allows some cases to revert, given a target contract that doesn't implement EIP-1271 as expected. The contracts that may be affected are those that use `SignatureChecker` to check the validity of a signature and handle invalid signatures in a way other than reverting. The issue was patched in version 4.7.1.
Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE
  • CWE-20 - Improper Input Validation
Assigner
References
Impacted products
Vendor Product Version
OpenZeppelin openzeppelin-contracts Affected: >= 4.1.0, < 4.7.1
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T07:11:39.637Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-4g63-c64m-25w9"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/OpenZeppelin/openzeppelin-contracts/pull/3552"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-31172",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-23T15:53:13.610748Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-23T17:57:33.239Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "openzeppelin-contracts",
          "vendor": "OpenZeppelin",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 4.1.0, \u003c 4.7.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "OpenZeppelin Contracts is a library for smart contract development. Versions 4.1.0 until 4.7.1 are vulnerable to the SignatureChecker reverting. `SignatureChecker.isValidSignatureNow` is not expected to revert. However, an incorrect assumption about Solidity 0.8\u0027s `abi.decode` allows some cases to revert, given a target contract that doesn\u0027t implement EIP-1271 as expected. The contracts that may be affected are those that use `SignatureChecker` to check the validity of a signature and handle invalid signatures in a way other than reverting. The issue was patched in version 4.7.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20: Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-07-21T13:55:11.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-4g63-c64m-25w9"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/OpenZeppelin/openzeppelin-contracts/pull/3552"
        }
      ],
      "source": {
        "advisory": "GHSA-4g63-c64m-25w9",
        "discovery": "UNKNOWN"
      },
      "title": "OpenZeppelin Contracts\u0027s SignatureChecker may revert on invalid EIP-1271 signers",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-31172",
          "STATE": "PUBLIC",
          "TITLE": "OpenZeppelin Contracts\u0027s SignatureChecker may revert on invalid EIP-1271 signers"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "openzeppelin-contracts",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003e= 4.1.0, \u003c 4.7.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "OpenZeppelin"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "OpenZeppelin Contracts is a library for smart contract development. Versions 4.1.0 until 4.7.1 are vulnerable to the SignatureChecker reverting. `SignatureChecker.isValidSignatureNow` is not expected to revert. However, an incorrect assumption about Solidity 0.8\u0027s `abi.decode` allows some cases to revert, given a target contract that doesn\u0027t implement EIP-1271 as expected. The contracts that may be affected are those that use `SignatureChecker` to check the validity of a signature and handle invalid signatures in a way other than reverting. The issue was patched in version 4.7.1."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-20: Improper Input Validation"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-4g63-c64m-25w9",
              "refsource": "CONFIRM",
              "url": "https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-4g63-c64m-25w9"
            },
            {
              "name": "https://github.com/OpenZeppelin/openzeppelin-contracts/pull/3552",
              "refsource": "MISC",
              "url": "https://github.com/OpenZeppelin/openzeppelin-contracts/pull/3552"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-4g63-c64m-25w9",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-31172",
    "datePublished": "2022-07-21T13:55:11.000Z",
    "dateReserved": "2022-05-18T00:00:00.000Z",
    "dateUpdated": "2025-04-23T17:57:33.239Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:openzeppelin:contracts:*:*:*:*:*:node.js:*:*\", \"versionStartIncluding\": \"4.1.0\", \"versionEndExcluding\": \"4.7.1\", \"matchCriteriaId\": \"26DDD2E8-29C5-456F-9EB6-8AE5C0E31B69\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"OpenZeppelin Contracts is a library for smart contract development. Versions 4.1.0 until 4.7.1 are vulnerable to the SignatureChecker reverting. `SignatureChecker.isValidSignatureNow` is not expected to revert. However, an incorrect assumption about Solidity 0.8\u0027s `abi.decode` allows some cases to revert, given a target contract that doesn\u0027t implement EIP-1271 as expected. The contracts that may be affected are those that use `SignatureChecker` to check the validity of a signature and handle invalid signatures in a way other than reverting. The issue was patched in version 4.7.1.\"}, {\"lang\": \"es\", \"value\": \"OpenZeppelin Contracts es una biblioteca para el desarrollo de contratos inteligentes. Las versiones 4.1.0 hasta 4.7.1, son vulnerables a una reversi\\u00f3n de SignatureChecker. No es esperado que \\\"SignatureChecker.isValidSignatureNow\\\" revierta. Sin embargo, una suposici\\u00f3n incorrecta sobre \\\"abi.decode\\\" de Solidity versi\\u00f3n 0.8 permite que algunos casos sean revertidos, dado un contrato de destino que no implementa EIP-1271 como es esperado. Los contratos que pueden verse afectados son los que usan \\\"SignatureChecker\\\" para comprobar la validez de una firma y manejar las firmas no v\\u00e1lidas de una forma distinta a la reversi\\u00f3n. El problema fue parcheado en versi\\u00f3n 4.7.1\"}]",
      "id": "CVE-2022-31172",
      "lastModified": "2024-11-21T07:04:03.080",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}]}",
      "published": "2022-07-22T04:15:14.633",
      "references": "[{\"url\": \"https://github.com/OpenZeppelin/openzeppelin-contracts/pull/3552\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-4g63-c64m-25w9\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/OpenZeppelin/openzeppelin-contracts/pull/3552\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-4g63-c64m-25w9\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-20\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-347\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-31172\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2022-07-22T04:15:14.633\",\"lastModified\":\"2024-11-21T07:04:03.080\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"OpenZeppelin Contracts is a library for smart contract development. Versions 4.1.0 until 4.7.1 are vulnerable to the SignatureChecker reverting. `SignatureChecker.isValidSignatureNow` is not expected to revert. However, an incorrect assumption about Solidity 0.8\u0027s `abi.decode` allows some cases to revert, given a target contract that doesn\u0027t implement EIP-1271 as expected. The contracts that may be affected are those that use `SignatureChecker` to check the validity of a signature and handle invalid signatures in a way other than reverting. The issue was patched in version 4.7.1.\"},{\"lang\":\"es\",\"value\":\"OpenZeppelin Contracts es una biblioteca para el desarrollo de contratos inteligentes. Las versiones 4.1.0 hasta 4.7.1, son vulnerables a una reversi\u00f3n de SignatureChecker. No es esperado que \\\"SignatureChecker.isValidSignatureNow\\\" revierta. Sin embargo, una suposici\u00f3n incorrecta sobre \\\"abi.decode\\\" de Solidity versi\u00f3n 0.8 permite que algunos casos sean revertidos, dado un contrato de destino que no implementa EIP-1271 como es esperado. Los contratos que pueden verse afectados son los que usan \\\"SignatureChecker\\\" para comprobar la validez de una firma y manejar las firmas no v\u00e1lidas de una forma distinta a la reversi\u00f3n. El problema fue parcheado en versi\u00f3n 4.7.1\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-347\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openzeppelin:contracts:*:*:*:*:*:node.js:*:*\",\"versionStartIncluding\":\"4.1.0\",\"versionEndExcluding\":\"4.7.1\",\"matchCriteriaId\":\"26DDD2E8-29C5-456F-9EB6-8AE5C0E31B69\"}]}]}],\"references\":[{\"url\":\"https://github.com/OpenZeppelin/openzeppelin-contracts/pull/3552\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-4g63-c64m-25w9\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/OpenZeppelin/openzeppelin-contracts/pull/3552\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-4g63-c64m-25w9\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"affected\": [{\"product\": \"openzeppelin-contracts\", \"vendor\": \"OpenZeppelin\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 4.1.0, \u003c 4.7.1\"}]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"OpenZeppelin Contracts is a library for smart contract development. Versions 4.1.0 until 4.7.1 are vulnerable to the SignatureChecker reverting. `SignatureChecker.isValidSignatureNow` is not expected to revert. However, an incorrect assumption about Solidity 0.8\u0027s `abi.decode` allows some cases to revert, given a target contract that doesn\u0027t implement EIP-1271 as expected. The contracts that may be affected are those that use `SignatureChecker` to check the validity of a signature and handle invalid signatures in a way other than reverting. The issue was patched in version 4.7.1.\"}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"LOW\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"NONE\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"scope\": \"UNCHANGED\", \"userInteraction\": \"NONE\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\", \"version\": \"3.1\"}}], \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-20\", \"description\": \"CWE-20: Improper Input Validation\", \"lang\": \"en\", \"type\": \"CWE\"}]}], \"providerMetadata\": {\"dateUpdated\": \"2022-07-21T13:55:11.000Z\", \"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\"}, \"references\": [{\"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-4g63-c64m-25w9\"}, {\"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/OpenZeppelin/openzeppelin-contracts/pull/3552\"}], \"source\": {\"advisory\": \"GHSA-4g63-c64m-25w9\", \"discovery\": \"UNKNOWN\"}, \"title\": \"OpenZeppelin Contracts\u0027s SignatureChecker may revert on invalid EIP-1271 signers\", \"x_legacyV4Record\": {\"CVE_data_meta\": {\"ASSIGNER\": \"security-advisories@github.com\", \"ID\": \"CVE-2022-31172\", \"STATE\": \"PUBLIC\", \"TITLE\": \"OpenZeppelin Contracts\u0027s SignatureChecker may revert on invalid EIP-1271 signers\"}, \"affects\": {\"vendor\": {\"vendor_data\": [{\"product\": {\"product_data\": [{\"product_name\": \"openzeppelin-contracts\", \"version\": {\"version_data\": [{\"version_value\": \"\u003e= 4.1.0, \u003c 4.7.1\"}]}}]}, \"vendor_name\": \"OpenZeppelin\"}]}}, \"data_format\": \"MITRE\", \"data_type\": \"CVE\", \"data_version\": \"4.0\", \"description\": {\"description_data\": [{\"lang\": \"eng\", \"value\": \"OpenZeppelin Contracts is a library for smart contract development. Versions 4.1.0 until 4.7.1 are vulnerable to the SignatureChecker reverting. `SignatureChecker.isValidSignatureNow` is not expected to revert. However, an incorrect assumption about Solidity 0.8\u0027s `abi.decode` allows some cases to revert, given a target contract that doesn\u0027t implement EIP-1271 as expected. The contracts that may be affected are those that use `SignatureChecker` to check the validity of a signature and handle invalid signatures in a way other than reverting. The issue was patched in version 4.7.1.\"}]}, \"impact\": {\"cvss\": {\"attackComplexity\": \"LOW\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"NONE\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"scope\": \"UNCHANGED\", \"userInteraction\": \"NONE\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\", \"version\": \"3.1\"}}, \"problemtype\": {\"problemtype_data\": [{\"description\": [{\"lang\": \"eng\", \"value\": \"CWE-20: Improper Input Validation\"}]}]}, \"references\": {\"reference_data\": [{\"name\": \"https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-4g63-c64m-25w9\", \"refsource\": \"CONFIRM\", \"url\": \"https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-4g63-c64m-25w9\"}, {\"name\": \"https://github.com/OpenZeppelin/openzeppelin-contracts/pull/3552\", \"refsource\": \"MISC\", \"url\": \"https://github.com/OpenZeppelin/openzeppelin-contracts/pull/3552\"}]}, \"source\": {\"advisory\": \"GHSA-4g63-c64m-25w9\", \"discovery\": \"UNKNOWN\"}}}, \"adp\": [{\"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T07:11:39.637Z\"}, \"title\": \"CVE Program Container\", \"references\": [{\"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"], \"url\": \"https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-4g63-c64m-25w9\"}, {\"tags\": [\"x_refsource_MISC\", \"x_transferred\"], \"url\": \"https://github.com/OpenZeppelin/openzeppelin-contracts/pull/3552\"}]}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-31172\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-23T15:53:13.610748Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-23T15:53:15.650Z\"}}]}",
      "cveMetadata": "{\"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"assignerShortName\": \"GitHub_M\", \"cveId\": \"CVE-2022-31172\", \"datePublished\": \"2022-07-21T13:55:11.000Z\", \"dateReserved\": \"2022-05-18T00:00:00.000Z\", \"dateUpdated\": \"2025-04-23T17:57:33.239Z\", \"state\": \"PUBLISHED\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.