CVE-2023-39363

CVSS 3.1 Score 5.9 of 10 (medium)

Details

Published Aug 7, 2023
Updated: Sep 18, 2023
CWE ID 863

Summary

CVE-2023-39363 is a vulnerability that affects the Vyper Pythonic Smart Contract Language for the Ethereum Virtual Machine (EVM). It specifically impacts versions 0.2.15, 0.2.16, and 0.3.0 of Vyper. The vulnerability occurs due to incorrect allocation of named re-entrancy locks, which allows for cross-function re-entrancy in contracts compiled with the vulnerable versions. To exploit this vulnerability, certain conditions must be met, such as using a `.vy` contract compiled with Vyper versions 0.2.15, 0.2.16, or 0.3.0 and having a primary function that utilizes the `@nonreentrant` decorator with a specific key while not strictly following the check-effects-interaction pattern. A secondary function that also uses the same key would be affected by the improper state caused by the primary function. The issue has been fixed in version 0.3.1 of Vyper. This vulnerability has a base severity rating of MEDIUM and an impact score of 3.6 out of 10 according to CVSS (Common Vulnerability Scoring System) version 3.1. Affected products: Vyper versions 0.2.15, 0.2.16, and 0.3. Remediation: Update to version 0.3+ to fix the vulnerability. Potential danger: This vulnerability could allow an attacker to exploit cross-function re-entrancy in contracts compiled with susceptible versions of Vyper, potentially leading to unauthorized access or manipulation of data within affected contracts on the Ethereum network. Note: The provided information is based on the metadata and analysis description given for CVE-2023-39363 and does not include any additional sources or opinions regarding this specific vulnerability or its impact on organizations using Vyper or Ethereum contracts.

Share

Explore Beyond the CVE Basics with Recorded Future's Vulnerability Intelligence

Note: This is just a basic overview providing quick insights into CVE-2023-39363 information. Gain full access to comprehensive CVE data, risk scores, prioritization, and mitigation data through Recorded Future's Vulnerability Intelligence:
  • Prioritize with Risk-Based Scoring
  • Explore the Extensive Vulnerability Database
  • Receive Early Alerts on Emerging CVEs
  • Focus on Critical Exploitable Vulnerabilities
  • Streamline Remediation with Integration Options