GHSA-3hg2-r75x-g69m
Suggest an improvement- Source
- https://github.com/advisories/GHSA-3hg2-r75x-g69m
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-3hg2-r75x-g69m/GHSA-3hg2-r75x-g69m.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-3hg2-r75x-g69m
- Aliases
- Related
- Published
- 2023-09-18T19:20:55Z
- Modified
- 2024-11-22T20:46:11.846284Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
- Summary
- Vyper has incorrect re-entrancy lock when key is empty string
- Details
-
Impact
Locks of the type
@nonreentrant("")or@nonreentrant('')do not produce reentrancy checks at runtime.@nonreentrant("") # unprotected @external def bar(): pass @nonreentrant("lock") # protected @external def foo(): passPatches
Patched in #3605
Workarounds
The lock name should be a non-empty string.
References
Are there any links users can visit to find out more?
- Database specific
{ "nvd_published_at": "2023-09-18T21:16:09Z", "cwe_ids": [ "CWE-667", "CWE-833" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2023-09-18T19:20:55Z" }- References
-
- https://github.com/vyperlang/vyper/security/advisories/GHSA-3hg2-r75x-g69m
- https://nvd.nist.gov/vuln/detail/CVE-2023-42441
- https://github.com/vyperlang/vyper/pull/3605
- https://github.com/vyperlang/vyper/commit/0b740280c1e3c5528a20d47b29831948ddcc6d83
- https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-305.yaml
- https://github.com/vyperlang/vyper
Affected packages
PyPI / vyper
Package
- Name
- vyper
- View open source insights on deps.dev
- Purl
- pkg:pypi/vyper