Cairo Contracts
Approved changes feed: RSS · Atom
cpe:2.3:a:openzeppelin:cairo-contracts:*:*:*:*:*:*:*:*
part: a version: * update: *
| Vendor | Openzeppelin (e0e03368-afa5-5522-8058-af42a8cb296b) |
|---|---|
| Product | Cairo Contracts (04a58864-1325-59f8-b9f4-ddd3294cc8ba) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from gcve-enriched-dumps CVE data |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
| No PURL mappings for this CPE yet. | ||
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2024-45304 |
vulnerable | 2026-06-08 06:45:55.848494 |
OwnableTwoStep allows a pending owner to accept ownership after the original owner has renounced ownership in cairo-contracts
MEDIUM (5.3)
Cairo-Contracts are OpenZeppelin Contracts written in Cairo for Starknet, a decentralized ZK Rollup. This vulnerability can lead to unauthorized ownership transfer, contrary to the original owner's intention of leaving the contract without an owner. It introduces a security risk where an unintended party (pending owner) can gain control of the contract after the original owner has renounced ownership. This could also be used by a malicious owner to simulate leaving a contract without an owner, to later regain ownership by previously having proposed himself as a pending owner. This issue has been addressed in release version 0.16.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Published: 2024-08-30T23:51:01.301Z
Updated: 2024-09-03T19:52:20.818Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-23940 |
vulnerable | 2026-06-08 05:56:04.870673 |
OpenZeppelin Contracts for Cairo is vulnerable to signature validation bypass
MEDIUM (6.4)
OpenZeppelin Contracts for Cairo is a library for secure smart contract development written in Cairo for StarkNet, a decentralized ZK Rollup. `is_valid_eth_signature` is missing a call to `finalize_keccak` after calling `verify_eth_signature`. As a result, any contract using `is_valid_eth_signature` from the account library (such as the `EthAccount` preset) is vulnerable to a malicious sequencer. Specifically, the malicious sequencer would be able to bypass signature validation to impersonate an instance of these accounts. The issue has been patched in 0.6.1.
Published: 2023-02-03T19:43:11.178Z
Updated: 2025-03-10T21:16:55.772Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-31153 |
vulnerable | 2026-06-08 05:43:40.293461 |
OpenZeppelin Contracts for Cairo account cannot process transactions on Goerli
MEDIUM (6.5)
OpenZeppelin Contracts for Cairo is a library for contract development written in Cairo for StarkNet, a decentralized ZK Rollup. Version 0.2.0 is vulnerable to an error that renders account contracts unusable on live networks. This issue affects all accounts (vanilla and ethereum flavors) in the v0.2.0 release of OpenZeppelin Contracts for Cairo, which are not whitelisted on StarkNet mainnet. Only goerli deployments of v0.2.0 accounts are affected. This faulty behavior is not observed in StarkNet's testing framework. This bug has been patched in v0.2.1.
Published: 2022-07-15T17:50:14.000Z
Updated: 2025-04-22T17:48:58.458Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.