CVE-2022-35916: 
JavaScript vulnerability analysis and mitigation

OpenZeppelin Contracts, a library for secure smart contract development, disclosed a vulnerability (CVE-2022-35916) affecting versions 4.6.0 to 4.7.2. The vulnerability was discovered in the cross chain utilities for Arbitrum L2, specifically in the CrossChainEnabledArbitrumL2 and LibArbitrumL2 components. The issue was identified and patched in July 2022 (GitHub Advisory).

The vulnerability stems from a misclassification in the cross chain utilities for Arbitrum L2, where direct interactions from externally owned accounts (EOAs) are incorrectly classified as cross chain calls, even though they are not initiated on L1. The issue has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N, indicating network accessibility with low attack complexity and no required privileges or user interaction (NVD).

The vulnerability has been assessed as low severity because any action that could be taken by an EOA on the contract could also be taken by the EOA through the bridge if the issue was not present. The impact primarily affects the integrity of cross chain call classification without compromising confidentiality or availability (GitHub Advisory).

The vulnerability has been patched in version 4.7.2 of OpenZeppelin Contracts. Users are advised to upgrade to this version or later. No alternative workarounds have been identified for this issue (GitHub Advisory).