CVE-2023-30837

Vyper is a pythonic smart contract language for the EVM. The storage allocator does not guard against allocation overflows in versions prior to 0.3.8. An attacker can overwrite the owner variable. This issue was fixed in version 0.3.8.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/vyperlang/vyper/commit/0bb7203b584e771b23536ba065a6efda457161bb	Patch
https://github.com/vyperlang/vyper/security/advisories/GHSA-mgv8-gggw-mrg6	Exploit Vendor Advisory
https://github.com/vyperlang/vyper/commit/0bb7203b584e771b23536ba065a6efda457161bb	Patch
https://github.com/vyperlang/vyper/security/advisories/GHSA-mgv8-gggw-mrg6	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:vyperlang:vyper:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2023-05-08 17:15

Updated : 2024-11-21 08:00

NVD link : CVE-2023-30837

Mitre link : CVE-2023-30837

CVE.ORG link : CVE-2023-30837

JSON object : View

Products Affected

vyperlang

vyper

CWE

CWE-789

Memory Allocation with Excessive Size Value

{"id": "CVE-2023-30837", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2023-05-08T17:15:12.007", "references": [{"url": "https://github.com/vyperlang/vyper/commit/0bb7203b584e771b23536ba065a6efda457161bb", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-mgv8-gggw-mrg6", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/vyperlang/vyper/commit/0bb7203b584e771b23536ba065a6efda457161bb", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-mgv8-gggw-mrg6", "tags": ["Exploit", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-789"}]}], "descriptions": [{"lang": "en", "value": "Vyper is a pythonic smart contract language for the EVM. The storage allocator does not guard against allocation overflows in versions prior to 0.3.8. An attacker can overwrite the owner variable. This issue was fixed in version 0.3.8.\n"}], "lastModified": "2024-11-21T08:00:56.617", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:vyperlang:vyper:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4E33CC4B-8A7D-4AB9-91C6-7B103ED59531", "versionEndExcluding": "0.3.8"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}