Improper Privilege Management
CVE-2021-39167
Summary
OpenZeppelin is a library for smart contract development. In affected versions, a vulnerability in "TimelockController" allowed an actor with the executor role to escalate privileges. Further details about the vulnerability will be disclosed at a later date. As a workaround, revoke the executor role from accounts not strictly under the team's control. We recommend revoking all executors that are not also proposers. When applying this mitigation, ensure there is at least one proposer and executor remaining. This issue affects @openzeppelin/contracts versions 3.3.0-rc.0 through 3.4.1-solc-0.7-2 and 4.0.0-beta.0 through 4.3.0.
- LOW
- NETWORK
- HIGH
- UNCHANGED
- NONE
- NONE
- HIGH
- HIGH
CWE-269 - Improper Privilege Management
An effective privilege management infrastructure provides valid users with required access and privileges across heterogeneous technology environments. An application with a faulty privilege management infrastructure allows higher than authorized privileges or enables privilege escalation. This can lead to security incidents such as system infiltration, data breach, and complete system takeover.
References
Advisory Timeline
- Published
