CVE-2023-30542: 
JavaScript vulnerability analysis and mitigation

OpenZeppelin Contracts, a library for secure smart contract development, was found to contain a vulnerability in the GovernorCompatibilityBravo contract's proposal creation entrypoint ('propose'). The vulnerability, identified as CVE-2023-30542, affects versions from 4.3.0 to 4.8.3 and was disclosed in April 2023. The issue allows the creation of proposals with a 'signatures' array shorter than the 'calldatas' array (Vendor Advisory).

The vulnerability stems from a mismatch handling between signatures and calldatas arrays in the propose function. When a proposal is created with a signatures array shorter than the calldatas array, the additional elements of the calldatas array are ignored during execution. While the ProposalCreated event correctly shows what will execute, the getActions query function displays the original intended calldata, creating a discrepancy between the displayed and actual execution behavior. The vulnerability has been assigned a CVSS v3.1 score of 8.8 HIGH (NVD).

If exploited, this vulnerability could lead to proposals executing with missing or incorrect calldata, potentially causing unexpected behavior in the governance system. The discrepancy between what is displayed through getActions and what actually executes could lead to confusion and potential manipulation of governance proposals (Vendor Advisory).

The vulnerability has been patched in version 4.8.3 of OpenZeppelin Contracts. For users unable to upgrade immediately, a workaround is available: ensure that all proposals passing through governance have equal length signatures and calldatas parameters. Users are strongly advised to upgrade to the patched version (Release Notes).