SCA: security update for @openzeppelin/contracts, @openzeppelin/contracts-upgradeable (GHSA-g4vp-m682-qqmp)

medium Tenable Self-Hosted Container Security Plugin ID 414872

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- OpenZeppelin Contracts is a library for secure smart contract development. Starting in version 4.0.0 and
prior to version 4.9.3, contracts using `ERC2771Context` along with a custom trusted forwarder may see
`_msgSender` return `address(0)` in calls that originate from the forwarder with calldata shorter than 20
bytes. This combination of circumstances does not appear to be common, in particular it is not the case
for `MinimalForwarder` from OpenZeppelin Contracts, or any deployed forwarder the team is aware of, given
that the signer address is appended to all calls that originate from these forwarders. The problem has
been patched in v4.9.3. (CVE-2023-40014)

See Also

https://github.com/advisories/GHSA-g4vp-m682-qqmp

Plugin Details

Severity: Medium

ID: 414872

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 1/27/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 1.2

Percentile: 0.01

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2023-40014

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 4.6

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 8/11/2023

Vulnerability Publication Date: 8/10/2023

Reference Information

CVE: CVE-2023-40014

cwe: CWE-116