CVE-2024-24564
3.7
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. When using the built-in extract32(b, start), if the start index provided has for side effect to update b, the byte array to extract 32 bytes from, it could be that some dirty memory is read and returned by extract32. This vulnerability is fixed in 0.4.0.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| vyperlang | vyper | < 0.4.0 | affected |
Weaknesses
- CWE-125: CWE-125: Out-of-bounds Read
ADP Enrichment
CVE Program Container
Additional References
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: partial
References
- https://github.com/vyperlang/vyper/security/advisories/GHSA-4hwq-4cpm-8vmx
- https://github.com/vyperlang/vyper/commit/3d9c537142fb99b2672f21e2057f5f202cde194f
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.