CVE-2022-31172: Improper Input Validation
(updated )
OpenZeppelin Contracts is a library for smart contract development. Versions 4.1.0 until 4.7.1 is vulnerable to the SignatureChecker reverting. SignatureChecker.isValidSignatureNow
is not expected to revert. However, an incorrect assumption about Solidity 0.8’s abi.decode
allows some cases to revert, given a target contract that does not implement EIP-1271 as expected. The contracts that may be affected are those that use SignatureChecker
to check the validity of a signature and handle invalid signatures in a way other than reverting. The issue was patched in version 4.7.1.
References
Detect and mitigate CVE-2022-31172 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →