SCA: security update for @openzeppelin/contracts, @openzeppelin/contracts-upgradeable (GHSA-mx2q-35m2-x2rh)

medium Tenable Self-Hosted Container Security Plugin ID 417186

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- OpenZeppelin Contracts is a library for secure smart contract development. A function in the
implementation contract may be inaccessible if its selector clashes with one of the proxy's own selectors.
Specifically, if the clashing function has a different signature with incompatible ABI encoding, the proxy
could revert while attempting to decode the arguments from calldata. The probability of an accidental
clash is negligible, but one could be caused deliberately and could cause a reduction in availability. The
issue has been fixed in version 4.8.3. As a workaround if a function appears to be inaccessible for this
reason, it may be possible to craft the calldata such that ABI decoding does not fail at the proxy and the
function is properly proxied through. (CVE-2023-30541)

See Also

https://github.com/advisories/GHSA-mx2q-35m2-x2rh

Plugin Details

Severity: Medium

ID: 417186

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 6/1/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 1.2

Percentile: 0.01

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS Score Source: CVE-2023-30541

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 4.6

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 4/17/2023

Vulnerability Publication Date: 4/17/2023

Reference Information

CVE: CVE-2023-30541

cwe: CWE-436