CVE-2021-39168 : Security Advisory and Response
Critical CVE-2021-39168 in OpenZeppelin Contracts TimelockController allows unauthorized privilege escalation. Learn about the impact, affected versions, and mitigation steps.
OpenZepplin is a library for smart contract development. In affected versions, a vulnerability in TimelockController allowed an actor with the executor role to escalate privileges. Revoking the executor role from unauthorized accounts is recommended.
Understanding CVE-2021-39168
This CVE discloses a critical vulnerability in the TimelockController of OpenZeppelin Contracts.
What is CVE-2021-39168?
- Affects OpenZeppelin Contracts versions with specified version ranges
- The vulnerability allows an actor with the executor role to escalate privileges
- CVSS Score: 10 (Critical)
The Impact of CVE-2021-39168
- Base Score: 10 (Critical)
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- Scope: Changed
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Technical Details of CVE-2021-39168
This section provides detailed technical information about the vulnerability.
Vulnerability Description
- The vulnerability in TimelockController allows unauthorized privilege escalation
Affected Systems and Versions
- OpenZeppelin Contracts versions:
=4.0.0, < 4.3.1
=3.3.0, < 3.4.2
= 3.3.0-solc-0.7, < 3.4.2-solc-0.7
Exploitation Mechanism
- Attack complexity: Low
- Privileges required: None
- Attack vector: Network
Mitigation and Prevention
Actions to prevent and mitigate the impact of CVE-2021-39168.
Immediate Steps to Take
- Revoke executor role from unauthorized accounts
- Ensure at least one proposer and executor remain
Long-Term Security Practices
- Regularly review and update roles and permissions
- Conduct security audits and code reviews
Patching and Updates
- Update to a fixed version of OpenZeppelin Contracts