CVE-2023-42460

Опубликовано: 27 сент. 2023

Источник: nvd

CVSS3: 5.3

CVSS3: 7.5

EPSS Низкий

Описание

Vyper is a Pythonic Smart Contract Language for the EVM. The _abi_decode() function does not validate input when it is nested in an expression. Uses of _abi_decode() can be constructed which allow for bounds checking to be bypassed resulting in incorrect results. This issue has not yet been fixed, but a fix is expected in release 0.3.10. Users are advised to reference pull request #3626.

Ссылки

https://github.com/vyperlang/vyper/pull/3626
Patch
https://github.com/vyperlang/vyper/security/advisories/GHSA-cx2q-hfxr-rj97
Exploit
Patch
Third Party Advisory
https://github.com/vyperlang/vyper/pull/3626
Patch
https://github.com/vyperlang/vyper/security/advisories/GHSA-cx2q-hfxr-rj97
Exploit
Patch
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:vyperlang:vyper:*:*:*:*:*:python:*:*

Версия от 0.3.4 (включая) до 0.3.10 (исключая)

EPSS

Процентиль: 15%

0.00048

Низкий

5.3 Medium

CVSS3

7.5 High

CVSS3

Дефекты

CWE-682

Связанные уязвимости

GHSA-cx2q-hfxr-rj97

CVSS3: 5.3

github

больше 2 лет назад

Vyper's `_abi_decode` input not validated in complex expressions

EPSS

Процентиль: 15%

0.00048

Низкий

5.3 Medium

CVSS3

7.5 High

CVSS3

Дефекты

CWE-682