Vulnerabilities > CVE-2023-26488 - Unspecified vulnerability in Openzeppelin Contracts and Contracts Upgradeable

CVSS 6.5 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

NONE

Integrity impact

HIGH

Availability impact

NONE

network

low complexity

openzeppelin

NVD

Published: 2023-03-03

Updated: 2024-11-21

Summary

OpenZeppelin Contracts is a library for secure smart contract development. The ERC721Consecutive contract designed for minting NFTs in batches does not update balances when a batch has size 1 and consists of a single token. Subsequent transfers from the receiver of that token may overflow the balance as reported by `balanceOf`. The issue exclusively presents with batches of size 1. The issue has been patched in 4.8.2.

Vulnerable Configurations

Part	Description	Count
Application	Openzeppelin Openzeppelin Contracts Upgradeable 4.8.0 Openzeppelin Contracts Upgradeable 4.8.1 Openzeppelin Contracts 4.8.0 Openzeppelin Contracts 4.8.1	10

References

https://github.com/OpenZeppelin/openzeppelin-contracts/commit/167bf67ed3907f4a674043496019fa346cee7705
https://github.com/OpenZeppelin/openzeppelin-contracts/commit/167bf67ed3907f4a674043496019fa346cee7705
https://github.com/OpenZeppelin/openzeppelin-contracts/releases/tag/v4.8.2
https://github.com/OpenZeppelin/openzeppelin-contracts/releases/tag/v4.8.2
https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-878m-3g6q-594q
https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-878m-3g6q-594q