CVE-2024-24564

Опубликовано: 26 фев. 2024

Источник: nvd

CVSS3: 3.7

CVSS3: 5.3

EPSS Низкий

Описание

Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. When using the built-in extract32(b, start), if the start index provided has for side effect to update b, the byte array to extract 32 bytes from, it could be that some dirty memory is read and returned by extract32. This vulnerability is fixed in 0.4.0.

Ссылки

https://github.com/vyperlang/vyper/commit/3d9c537142fb99b2672f21e2057f5f202cde194f
Patch
https://github.com/vyperlang/vyper/security/advisories/GHSA-4hwq-4cpm-8vmx
Exploit
Vendor Advisory
https://github.com/vyperlang/vyper/security/advisories/GHSA-4hwq-4cpm-8vmx
Exploit
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:vyperlang:vyper:*:*:*:*:*:python:*:*

Версия до 0.4.0 (исключая)

EPSS

Процентиль: 64%

0.00475

Низкий

3.7 Low

CVSS3

5.3 Medium

CVSS3

Дефекты

CWE-125

Связанные уязвимости

GHSA-4hwq-4cpm-8vmx

CVSS3: 3.7

github

почти 2 года назад

Vyper's `extract32` can ready dirty memory

EPSS

Процентиль: 64%

0.00475

Низкий

3.7 Low

CVSS3

5.3 Medium

CVSS3

Дефекты

CWE-125