Skip to main content

Vyper CVE-2023-39363

CRITICAL
Incorrect Authorization (CWE-863)
2023-08-07 security-advisories@github.com
9.1
CVSS 4.0 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
9.1 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (github) · only source for this CVE.

CVSS VectorVendor: github

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
CVE Published
Aug 07, 2023 - 19:15 cve.org
CRITICAL 9.1

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 2 pypi packages depend on vyper (1 direct, 1 indirect)

Ecosystem-wide dependent count for version 0.2.15.

DescriptionCVE.org

Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine (EVM). In versions 0.2.15, 0.2.16 and 0.3.0, named re-entrancy locks are allocated incorrectly. Each function using a named re-entrancy lock gets a unique lock regardless of the key, allowing cross-function re-entrancy in contracts compiled with the susceptible versions. A specific set of conditions is required to result in misbehavior of affected contracts, specifically: a .vy contract compiled with vyper versions 0.2.15, 0.2.16, or 0.3.0; a primary function that utilizes the @nonreentrant decorator with a specific key and does not strictly follow the check-effects-interaction pattern (i.e. contains an external call to an untrusted party before storage updates); and a secondary function that utilizes the same key and would be affected by the improper state caused by the primary function. Version 0.3.1 contains a fix for this issue.

AnalysisAI

Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine (EVM). Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Technical ContextAI

This vulnerability is classified as Incorrect Authorization (CWE-863), which allows attackers to bypass authorization checks to access restricted resources. Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine (EVM). In versions 0.2.15, 0.2.16 and 0.3.0, named re-entrancy locks are allocated incorrectly. Each function using a named re-entrancy lock gets a unique lock regardless of the key, allowing cross-function re-entrancy in contracts compiled with the susceptible versions. A specific set of conditions is required to result in misbehavior of affected contracts, specifically: a .vy contract compiled with vyper versions 0.2.15, 0.2.16, or 0.3.0; a primary function that utilizes the @nonreentrant decorator with a specific key and does not strictly follow the check-effects-interaction pattern (i.e. contains an external call to an untrusted party before storage updates); and a secondary function that utilizes the same key and would be affected by the improper state caused by the primary function. Version 0.3.1 contains a fix for this issue. Affected products include: Vyperlang Vyper. Version information: Version 0.3.1.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Review and test authorization logic, implement consistent access control checks, use centralized authorization framework.

More in Vyper

View all
CVE-2024-24563 CRITICAL POC
9.8 Feb 07

Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine. Rated critical severity (CVSS 9.8), this v

CVE-2024-24561 CRITICAL POC
9.8 Feb 01

Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. Rated critical severity (CVSS 9.8), this v

CVE-2024-22419 CRITICAL POC
9.8 Jan 18

Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine. Rated critical severity (CVSS 9.8), this v

CVE-2022-24845 CRITICAL POC
9.8 Apr 13

Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. Rated critical severity (CVSS 9.8), this v

CVE-2023-31146 CRITICAL POC
9.1 May 11

Vyper is a Pythonic smart contract language for the Ethereum virtual machine. Rated critical severity (CVSS 9.1), this v

CVE-2023-42443 HIGH POC
8.1 Sep 18

Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine (EVM). Rated high severity (CVSS 8.1), this

CVE-2023-42460 HIGH POC
7.5 Sep 27

Vyper is a Pythonic Smart Contract Language for the EVM. Rated high severity (CVSS 7.5), this vulnerability is remotely

CVE-2023-32059 HIGH POC
7.5 May 11

Vyper is a Pythonic smart contract language for the Ethereum virtual machine. Rated high severity (CVSS 7.5), this vulne

CVE-2023-32058 HIGH POC
7.5 May 11

Vyper is a Pythonic smart contract language for the Ethereum virtual machine. Rated high severity (CVSS 7.5), this vulne

CVE-2023-30837 HIGH POC
7.5 May 08

Vyper is a pythonic smart contract language for the EVM. Rated high severity (CVSS 7.5), this vulnerability is remotely

CVE-2023-30629 HIGH POC
7.5 Apr 24

Vyper is a Pythonic Smart Contract Language for the ethereum virtual machine. Rated high severity (CVSS 7.5), this vulne

CVE-2022-29255 HIGH POC
7.5 Jun 09

Vyper is a Pythonic Smart Contract Language for the ethereum virtual machine. Rated high severity (CVSS 7.5), this vulne

Share

CVE-2023-39363 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy