CVE-2023-31146

Exploit

EPSS 0.17%
Veröffentlicht 11.05.2023 21:15:10
Zuletzt bearbeitet 24.01.2025 16:15:32
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Vyper is a Pythonic smart contract language for the Ethereum virtual machine. Prior to version 0.3.8, during codegen, the length word of a dynarray is written before the data, which can result in out-of-bounds array access in the case where the dynarray is on both the lhs and rhs of an assignment. The issue can cause data corruption across call frames. The expected behavior is to revert due to out-of-bounds array access. Version 0.3.8 contains a patch for this issue.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Vyperlang ≫ Vyper Version < 0.3.8

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.17%	0.38

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.1	3.9	5.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0	9.1	3.9	5.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
security-advisories@github.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE-787 Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

https://github.com/vyperlang/vyper/commit/4f8289a81206f767df1900ac48f485d90fc87edb

Patch

https://github.com/vyperlang/vyper/security/advisories/GHSA-3p37-3636-q8wv

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2023-31146

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-31146

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-31146

EUVD