CVE-2023-42441 – vyper

Package

Manager: pip
Name: vyper
Vulnerable Version: >=0.2.9 <0.3.10

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00151 pctl0.36353

Details

Vyper has incorrect re-entrancy lock when key is empty string ### Impact Locks of the type `@nonreentrant("")` or `@nonreentrant('')` do not produce reentrancy checks at runtime. ```Vyper @nonreentrant("") # unprotected @external def bar(): pass @nonreentrant("lock") # protected @external def foo(): pass ``` ### Patches Patched in #3605 ### Workarounds The lock name should be a non-empty string. ### References _Are there any links users can visit to find out more?_

Metadata

Created: 2023-09-18T19:20:55Z
Modified: 2024-11-22T20:35:07Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-3hg2-r75x-g69m/GHSA-3hg2-r75x-g69m.json
CWE IDs: ["CWE-667", "CWE-833"]
Alternative ID: GHSA-3hg2-r75x-g69m
Finding: F115
Auto approve: 1