CVE-2018-18920 – py-evm

Package

Manager: pip
Name: py-evm
Vulnerable Version: =0.2.0a33

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00779 pctl0.72789

Details

Py-EVM is vulnerable to arbitrary bytecode injection Py-EVM v0.2.0-alpha.33 allows attackers to make a vm.execute_bytecode call that triggers computation._stack.values with '"stack": [100, 100, 0]' where b'\x' was expected, resulting in an execution failure because of an invalid opcode. This is reportedly related to "smart contracts can be executed indefinitely without gas being paid."

Metadata

Created: 2018-11-21T22:23:04Z
Modified: 2024-10-21T20:22:22Z
Source: MANUAL
CWE IDs: ["CWE-119"]
Alternative ID: GHSA-vqgp-4jgj-5j64
Finding: F316
Auto approve: 1