How severe is CVE-2023-23940?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 5.3 out of 10.

What type of vulnerability is CVE-2023-23940?

This is classified as CWE-345, which is a common weakness in software security.

CVE-2023-23940 - MEDIUM Severity | CVSS 5.3

Vulnerability Description

OpenZeppelin Contracts for Cairo is a library for secure smart contract development written in Cairo for StarkNet, a decentralized ZK Rollup. `is_valid_eth_signature` is missing a call to `finalize_keccak` after calling `verify_eth_signature`. As a result, any contract using `is_valid_eth_signature` from the account library (such as the `EthAccount` preset) is vulnerable to a malicious sequencer. Specifically, the malicious sequencer would be able to bypass signature validation to impersonate an instance of these accounts. The issue has been patched in 0.6.1.

Related Vulnerabilities

CVE-2015-9232

MEDIUM

CVSS:5.3(Medium)

The Good for Enterprise application 3.0.0.415 for Android does not use signature protection for its Authentication Delegation API intent. Also, the Good Dynamic application activation process does not...

CWE-3452015

CVE-2017-10862

MEDIUM

CVSS:5.3(Medium)

jwt-scala 1.2.2 and earlier fails to verify token signatures correctly which may lead to an attacker being able to pass specially crafted JWT data as a correctly signed token.

CWE-3452017

CVE-2018-17938

MEDIUM

CVSS:5.3(Medium)

Zimbra Collaboration before 8.8.10 GA allows text content spoofing via a loginErrorCode value.

CWE-3452018

CVE-2019-11737

MEDIUM

CVSS:5.3(Medium)

If a wildcard ('*') is specified for the host in Content Security Policy (CSP) directives, any port or path restriction of the directive will be ignored, leading to CSP directives not being properly a...

CWE-3452019

CVE-2019-12620

MEDIUM

CVSS:5.3(Medium)

A vulnerability in the statistics collection service of Cisco HyperFlex Software could allow an unauthenticated, remote attacker to inject arbitrary values on an affected device. The vulnerability is ...

CWE-3452019

CVE-2019-15162

MEDIUM

CVSS:5.3(Medium)

rpcapd/daemon.c in libpcap before 1.9.1 on non-Windows platforms provides details about why authentication failed, which might make it easier for attackers to enumerate valid usernames.

CWE-3452019