प्लेटफ़ॉर्म
nodejs
घटक
@openzeppelin/contracts-upgradeable
में ठीक किया गया
4.0.1
3.3.1
3.3.1
4.3.1
CVE-2021-39168 is a critical Remote Code Execution (RCE) vulnerability discovered in the @openzeppelin/contracts-upgradeable library. This flaw allows an attacker with the executor role to immediately seize control of the timelock by resetting the delay to zero, effectively granting them unrestricted access to assets held within the contract. The vulnerability impacts versions prior to 4.3.1, and a fix has been released in subsequent versions.
The impact of CVE-2021-39168 is severe, potentially leading to complete asset compromise. An attacker who gains control of the timelock can bypass intended delays and execute arbitrary actions, including transferring funds, modifying contract state, or even halting operations entirely. The vulnerability is particularly acute in instances where the executor role is set to 'open,' allowing anyone to assume the role and exploit the timelock. This is akin to a master key allowing unauthorized access to a secure vault. The potential for financial loss and reputational damage is significant, especially for decentralized applications (dApps) relying on @openzeppelin/contracts-upgradeable for secure asset management.
CVE-2021-39168 was publicly disclosed on August 30, 2021. While no active exploitation campaigns have been definitively confirmed, the vulnerability's critical severity and ease of exploitation make it a high-priority target. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept code is likely to emerge, increasing the risk of exploitation.
Decentralized applications (dApps) and smart contracts relying on @openzeppelin/contracts-upgradeable for timelock functionality are at significant risk. Projects with open executor roles on their timelocks are particularly vulnerable, as anyone can assume the role and exploit the vulnerability. Developers using older versions of the library without proper access controls are also at risk.
• nodejs / smart contracts:
# Check for vulnerable versions in package.json
grep '@openzeppelin/contracts-upgradeable:"[^"]*"' package.json• nodejs / smart contracts:
# Audit dependencies using npm audit
npm audit• nodejs / smart contracts:
# Check for specific timelock contract code patterns
grep -r "TimelockController.sol" . | grep -i "delay() = 0"disclosure
एक्सप्लॉइट स्थिति
EPSS
0.44% (63% शतमक)
CVSS वेक्टर
The primary mitigation for CVE-2021-39168 is to upgrade to a patched version of @openzeppelin/contracts or @openzeppelin/contracts-upgradeable, specifically version 4.3.1 or later. If immediate upgrading is not feasible due to compatibility issues or deployment complexities, consider temporarily restricting access to the executor role. Implement strict access controls and multi-signature requirements for timelock operations. Carefully review the timelock configuration to ensure the executor role is not set to 'open.' After upgrading, verify the timelock functionality by simulating a delayed action and confirming that the intended delay is enforced.
Revocar el rol de ejecutor de las cuentas que no estén estrictamente bajo el control del equipo. Se recomienda revocar todos los ejecutores que no sean también proponentes. Al aplicar esta mitigación, asegúrese de que quede al menos un proponente y un ejecutor.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2021-39168 is a critical vulnerability in @openzeppelin/contracts-upgradeable allowing an attacker with the executor role to reset the timelock delay to 0, gaining unrestricted access to assets.
You are affected if you are using a version of @openzeppelin/contracts-upgradeable prior to 4.3.1, especially if the executor role is set to 'open.'
Upgrade to version 4.3.1 or later of @openzeppelin/contracts-upgradeable. Restrict access to the executor role if immediate upgrading is not possible.
While no confirmed active exploitation campaigns have been reported, the vulnerability's severity makes it a high-priority target and exploitation is possible.
Refer to the OpenZeppelin security advisory: https://blog.openzeppelin.com/security-advisory-cve-2021-39168/
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।