CVE-2023-41052
Last modified
CVE-2023-41052 is a medium-severity vulnerability rated 5.3/10 on the CVSS scale. Vyper is a Pythonic Smart Contract Language. In affected versions the order of evaluation of the arguments of the builtin functions `uint256_addmod`, `uint256_mulmod`, `ecadd` and `ecmul` does not follow source order. EPSS estimates a 0.46% chance of exploitation in the next 30 days.
Description
Vyper is a Pythonic Smart Contract Language. In affected versions the order of evaluation of the arguments of the builtin functions `uint256_addmod`, `uint256_mulmod`, `ecadd` and `ecmul` does not follow source order. This behaviour is problematic when the evaluation of one of the arguments produces side effects that other arguments depend on. A patch is currently being developed on pull request #3583. When using builtins from the list above, users should make sure that the arguments of the expression do not produce side effects or, if one does, that no other argument is dependent on those side effects.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Vyperlang | Vyper | <= 0.3.9 |
References
- https://github.com/vyperlang/vyper/security/advisories/GHSA-4hg4-9mf5-wxxqExploit, Patch, Third Party Advisory
- https://github.com/vyperlang/vyper/security/advisories/GHSA-4hg4-9mf5-wxxqExploit, Patch, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2023-41052?
How severe is CVE-2023-41052?
How do I fix CVE-2023-41052?
Are you affected by CVE-2023-41052?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST