kleros-v2-contracts-0.1.1.tgz: 1 vulnerabilities (highest severity is: 6.5) #951
Labels
dependencies
Pull requests that update a dependency file
Mend: dependency security vulnerability
Security vulnerability detected by Mend
Type: Security🛡️
Custom label for issues opened by WhiteSource
Milestone
Vulnerable Library - kleros-v2-contracts-0.1.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-27094
Vulnerable Library - contracts-4.9.3.tgz
Library home page: https://registry.npmjs.org/@openzeppelin/contracts/-/contracts-4.9.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
OpenZeppelin Contracts is a library for secure smart contract development. The
Base64.encode
function encodes abytes
input by iterating over it in chunks of 3 bytes. When this input is not a multiple of 3, the last iteration may read parts of the memory that are beyond the input buffer. The vulnerability is fixed in 5.0.2 and 4.9.6.Publish Date: 2024-02-29
URL: CVE-2024-27094
CVSS 3 Score Details (6.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2024-02-29
Fix Resolution (@openzeppelin/contracts): 4.9.6
Direct dependency fix Resolution (@kleros/kleros-v2-contracts): 0.3.1
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: