5.3

CVE-2023-42441

Exploit

Vyper has incorrect re-entrancy lock when key is empty string

Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine (EVM). Starting in version 0.2.9 and prior to version 0.3.10, locks of the type `@nonreentrant("")` or `@nonreentrant('')` do not produce reentrancy checks at runtime. This issue is fixed in version 0.3.10. As a workaround, ensure the lock name is a non-empty string.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
VyperlangVyper SwPlatformpython Version >= 0.2.9 < 0.3.10
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.42% 0.337
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.3 3.9 1.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
security-advisories@github.com 5.3 3.9 1.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CWE-667 Improper Locking

The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.

CWE-833 Deadlock

The product contains multiple threads or executable segments that are waiting for each other to release a necessary lock, resulting in deadlock.

https://github.com/vyperlang/vyper/commit/0b740280c1e3c5528a20d47b29831948ddcc6d83
Patch
https://github.com/vyperlang/vyper/pull/3605
Patch
Issue Tracking
https://github.com/vyperlang/vyper/security/advisories/GHSA-3hg2-r75x-g69m
Patch
Vendor Advisory
Exploit