CVE-2023-30542
- Source
- https://cve.org/CVERecord?id=CVE-2023-30542
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-30542.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2023-30542
- Aliases
- Published
- 2023-04-16T07:10:13.474Z
- Modified
- 2026-03-13T22:55:11.878389Z
- Severity
-
- 6.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:L CVSS Calculator
- Summary
- GovernorCompatibilityBravo may trim proposal calldata
- Details
-
OpenZeppelin Contracts is a library for secure smart contract development. The proposal creation entrypoint (
propose) inGovernorCompatibilityBravoallows the creation of proposals with asignaturesarray shorter than thecalldatasarray. This causes the additional elements of the latter to be ignored, and if the proposal succeeds the corresponding actions would eventually execute without any calldata. TheProposalCreatedevent correctly represents what will eventually execute, but the proposal parameters as queried throughgetActionsappear to respect the original intended calldata. This issue has been patched in 4.8.3. As a workaround, ensure that all proposals that pass through governance have equal lengthsignaturesandcalldatasparameters. - Database specific
{ "cwe_ids": [ "CWE-20" ], "cna_assigner": "GitHub_M", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/30xxx/CVE-2023-30542.json" }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/30xxx/CVE-2023-30542.json
- https://github.com/OpenZeppelin/openzeppelin-contracts/releases/tag/v4.8.3
- https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-93hq-5wgc-jc82
- https://nvd.nist.gov/vuln/detail/CVE-2023-30542