CVE-2022-31172: Improper Input Validation

July 22, 2022 (updated August 1, 2022)

OpenZeppelin Contracts is a library for smart contract development. Versions 4.1.0 until 4.7.1 is vulnerable to the SignatureChecker reverting. SignatureChecker.isValidSignatureNow is not expected to revert. However, an incorrect assumption about Solidity 0.8’s abi.decode allows some cases to revert, given a target contract that does not implement EIP-1271 as expected. The contracts that may be affected are those that use SignatureChecker to check the validity of a signature and handle invalid signatures in a way other than reverting. The issue was patched in version 4.7.1.

References

github.com/OpenZeppelin/openzeppelin-contracts/pull/3552
github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-4g63-c64m-25w9
github.com/advisories/GHSA-4g63-c64m-25w9

Code Behaviors & Features

Detect and mitigate CVE-2022-31172 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →