CVE-2023-31146

Exploit

EPSS 1.24%
Veröffentlicht 11.05.2023 21:15:10
Zuletzt bearbeitet 24.01.2025 16:15:32
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Vyper vulnerable to OOB DynArray access when array is on both LHS and RHS of an assignment

Vyper is a Pythonic smart contract language for the Ethereum virtual machine. Prior to version 0.3.8, during codegen, the length word of a dynarray is written before the data, which can result in out-of-bounds array access in the case where the dynarray is on both the lhs and rhs of an assignment. The issue can cause data corruption across call frames. The expected behavior is to revert due to out-of-bounds array access. Version 0.3.8 contains a patch for this issue.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 5

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Vyperlang ≫ Vyper Version < 0.3.8

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.24%	0.653

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.1	3.9	5.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0	9.1	3.9	5.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
security-advisories@github.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE-787 Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

https://github.com/vyperlang/vyper/commit/4f8289a81206f767df1900ac48f485d90fc87edb

Patch

https://github.com/vyperlang/vyper/security/advisories/GHSA-3p37-3636-q8wv

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2023-31146

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-31146

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-31146

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2023-31146