GHSA-3hg2-r75x-g69m

Suggest an improvement
Source
https://github.com/advisories/GHSA-3hg2-r75x-g69m
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-3hg2-r75x-g69m/GHSA-3hg2-r75x-g69m.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-3hg2-r75x-g69m
Aliases
Related
Published
2023-09-18T19:20:55Z
Modified
2024-11-22T20:46:11.846284Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
Summary
Vyper has incorrect re-entrancy lock when key is empty string
Details

Impact

Locks of the type @nonreentrant("") or @nonreentrant('') do not produce reentrancy checks at runtime.

@nonreentrant("") # unprotected
@external
def bar():
    pass

@nonreentrant("lock") # protected
@external
def foo():
    pass

Patches

Patched in #3605

Workarounds

The lock name should be a non-empty string.

References

Are there any links users can visit to find out more?

Database specific
{
    "nvd_published_at": "2023-09-18T21:16:09Z",
    "cwe_ids": [
        "CWE-667",
        "CWE-833"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-09-18T19:20:55Z"
}
References

Affected packages

PyPI / vyper

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0.2.9
Fixed
0.3.10

Affected versions

0.*

0.2.9
0.2.10
0.2.11
0.2.12
0.2.13
0.2.14
0.2.15
0.2.16
0.3.0
0.3.1
0.3.2
0.3.3
0.3.4
0.3.5
0.3.6
0.3.7
0.3.8
0.3.9
0.3.10rc1
0.3.10rc2
0.3.10rc3
0.3.10rc4
0.3.10rc5