CVE-2023-41052

Exploit

EPSS 0.07%
Veröffentlicht 04.09.2023 18:15:08
Zuletzt bearbeitet 21.11.2024 08:20:27
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Vyper is a Pythonic Smart Contract Language. In affected versions the order of evaluation of the arguments of the builtin functions `uint256_addmod`, `uint256_mulmod`, `ecadd` and `ecmul` does not follow source order. This behaviour is problematic when the evaluation of one of the arguments produces side effects that other arguments depend on. A patch is currently being developed on pull request #3583. When using builtins from the list above, users should make sure that the arguments of the expression do not produce side effects or, if one does, that no other argument is dependent on those side effects.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Vyperlang ≫ Vyper SwPlatformpython Version <= 0.3.9

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.07%	0.214

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
security-advisories@github.com	3.7	2.2	1.4	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE-670 Always-Incorrect Control Flow Implementation

The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.

https://github.com/vyperlang/vyper/pull/3583

Patch

https://github.com/vyperlang/vyper/security/advisories/GHSA-4hg4-9mf5-wxxq

Patch

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2023-41052

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-41052

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-41052

EUVD