Strix
26.1K

CVE-2023-30543

MEDIUMCVSS 5.7/10EPSS 0.38%

Last modified

CVE-2023-30543 is a medium-severity vulnerability rated 5.7/10 on the CVSS scale. @web3-react is a framework for building Ethereum Apps . In affected versions the `chainId` may be outdated if the user changes chains as part of the connection flow. EPSS estimates a 0.38% chance of exploitation in the next 30 days.

Description

@web3-react is a framework for building Ethereum Apps . In affected versions the `chainId` may be outdated if the user changes chains as part of the connection flow. This means that the value of `chainId` returned by `useWeb3React()` may be incorrect. In an application, this means that any data derived from `chainId` could be incorrect. For example, if a swapping application derives a wrapped token contract address from the `chainId` *and* a user has changed chains as part of their connection flow the application could cause the user to send funds to the incorrect address when wrapping. This issue has been addressed in PR #749 and is available in updated npm artifacts. There are no known workarounds for this issue. Users are advised to upgrade.

Metrics

CVSS 3.1
5.7/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N

EPSS Probability
0.38%

29.6th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersionsUpdate
UniswapWeb3-React Coinbase-Wallet>= 6.0.0, <= 6.2.14
UniswapWeb3-React Coinbase-Wallet7.0.0Alpha0
UniswapWeb3-React Coinbase-Wallet7.0.1Alpha0
UniswapWeb3-React Coinbase-Wallet7.0.2Alpha0
UniswapWeb3-React Coinbase-Wallet8.0.22Beta0
UniswapWeb3-React Coinbase-Wallet8.0.23Beta0
UniswapWeb3-React Coinbase-Wallet8.0.24Beta0
UniswapWeb3-React Coinbase-Wallet8.0.25Beta0
UniswapWeb3-React Coinbase-Wallet8.0.26Beta0
UniswapWeb3-React Coinbase-Wallet8.0.27Beta0
UniswapWeb3-React Coinbase-Wallet8.0.28Beta0
UniswapWeb3-React Coinbase-Wallet8.0.29Beta0
UniswapWeb3-React Coinbase-Wallet8.0.30Beta0
UniswapWeb3-React Coinbase-Wallet8.0.31Beta0
UniswapWeb3-React Coinbase-Wallet8.0.32Beta0
UniswapWeb3-React Coinbase-Wallet8.0.33Beta0
UniswapWeb3-React Coinbase-Wallet8.0.34Beta0
UniswapWeb3-React Eip1193>= 6.0.0, <= 6.2.14
UniswapWeb3-React Eip11937.0.0Alpha0
UniswapWeb3-React Eip11937.0.1Alpha0
UniswapWeb3-React Eip11937.0.2Alpha0
UniswapWeb3-React Eip11938.0.0Beta0
UniswapWeb3-React Eip11938.0.1Beta0
UniswapWeb3-React Eip11938.0.2Beta0
UniswapWeb3-React Eip11938.0.3Beta0
UniswapWeb3-React Eip11938.0.4Beta0
UniswapWeb3-React Eip11938.0.5Beta0
UniswapWeb3-React Eip11938.0.6Beta0
UniswapWeb3-React Eip11938.0.7Beta0
UniswapWeb3-React Eip11938.0.8Beta0
UniswapWeb3-React Eip11938.0.9Beta0
UniswapWeb3-React Eip11938.0.10Beta0
UniswapWeb3-React Eip11938.0.11Beta0
UniswapWeb3-React Eip11938.0.12Beta0
UniswapWeb3-React Eip11938.0.13Beta0
UniswapWeb3-React Eip11938.0.14Beta0
UniswapWeb3-React Eip11938.0.15Beta0
UniswapWeb3-React Eip11938.0.16Beta0
UniswapWeb3-React Eip11938.0.17Beta0
UniswapWeb3-React Eip11938.0.18Beta0
UniswapWeb3-React Eip11938.0.19Beta0
UniswapWeb3-React Eip11938.0.20Beta0
UniswapWeb3-React Eip11938.0.21Beta0
UniswapWeb3-React Eip11938.0.22Beta0
UniswapWeb3-React Eip11938.0.23Beta0
UniswapWeb3-React Eip11938.0.24Beta0
UniswapWeb3-React Eip11938.0.25Beta0
UniswapWeb3-React Eip11938.0.26Beta0
UniswapWeb3-React Metamask>= 6.0.0, <= 6.2.14
UniswapWeb3-React Metamask8.0.0Beta0

Showing 50 of 120 affected configurations. See NVD for the full list.

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2023-30543?
@web3-react is a framework for building Ethereum Apps . In affected versions the `chainId` may be outdated if the user changes chains as part of the connection flow. This means that the value of `chainId` returned by `useWeb3React()` may be incorrect. In an application, this means that any data derived from `chainId` could be incorrect. For example, if a swapping application derives a wrapped token contract address from the `chainId` *and* a user has changed chains as part of their connection flow the application could cause the user to send funds to the incorrect address when wrapping. This issue has been addressed in PR #749 and is available in updated npm artifacts. There are no known workarounds for this issue. Users are advised to upgrade.
How severe is CVE-2023-30543?
CVE-2023-30543 has a CVSS score of 5.7/10 (MEDIUM severity). The EPSS model estimates a 0.38% probability of exploitation in the next 30 days.
How do I fix CVE-2023-30543?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2023-30543?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST