CVE-2023-34234

Description

### Impact By frontrunning the creation of a proposal, an attacker can become the proposer and gain the ability to cancel it. The attacker can do this repeatedly to try to prevent a proposal from being proposed at all. This impacts the `Governor` contract in v4.9.0 only, and the `GovernorCompatibilityBravo` contract since v4.3.0. ### Patches The problem has been patched in 4.9.1 by introducing opt-in frontrunning protection. ### Workarounds Submit the proposal creation transaction to an endpoint with frontrunning protection. ### Credit Reported by Lior Abadi and Joaquin Pereyra from Coinspect. ### References https://www.coinspect.com/openzeppelin-governor-dos/

How to fix CVE-2023-34234

To remediate CVE-2023-34234, upgrade the affected package to a fixed version below.

• —upgrade to 4.9.1 or later
• —upgrade to 4.9.1 or later

Is CVE-2023-34234 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

• >= 4.3.0, < 4.9.1
• >= 4.3.0, < 4.9.1

CVSS scores

References (6)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-34234
• PATCHgithub.com/OpenZeppelin/openzeppelin-contracts
• WEBgithub.com/OpenZeppelin/openzeppelin-contracts/commit/d9474327a492f9f310f31bc53f38dbea56ed9a57
• WEBgithub.com/OpenZeppelin/openzeppelin-contracts/releases/tag/v4.9.1