SCA: security update for @openzeppelin/contracts, @openzeppelin/contracts-upgradeable (GHSA-xrc4-737v-9q75)

high Tenable Cloud Security Plugin ID 420645

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- OpenZeppelin Contracts is a library for secure smart contract development. This issue concerns instances
of Governor that use the module `GovernorVotesQuorumFraction`, a mechanism that determines quorum
requirements as a percentage of the voting token's total supply. In affected instances, when a proposal is
passed to lower the quorum requirements, past proposals may become executable if they had been defeated
only due to lack of quorum, and the number of votes it received meets the new quorum requirement. Analysis
of instances on chain found only one proposal that met this condition, and we are actively monitoring for
new occurrences of this particular issue. This issue has been patched in v4.7.2. Users are advised to
upgrade. Users unable to upgrade should consider avoiding lowering quorum requirements if a past proposal
was defeated for lack of quorum. (CVE-2022-31198)

See Also

https://github.com/advisories/GHSA-xrc4-737v-9q75

Plugin Details

Severity: High

ID: 420645

Version: Revision 1.9

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 6/1/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.18

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:N

CVSS Score Source: CVE-2022-31198

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 8/18/2022

Vulnerability Publication Date: 8/1/2022

Reference Information

CVE: CVE-2022-31198

cwe: CWE-682