GHSA-8pf3-6fgr-3g3g

Source

https://github.com/advisories/GHSA-8pf3-6fgr-3g3g

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-8pf3-6fgr-3g3g/GHSA-8pf3-6fgr-3g3g.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-8pf3-6fgr-3g3g

Aliases

CVE-2023-30543

Related

CVE-2023-30543

Published

2023-04-18T22:29:53Z

Modified

2023-11-08T04:12:25.010397Z

Severity

5.2 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:L CVSS Calculator

Summary

`chainId` may be outdated if user changes chains as part of connection in @web3-react

Details

Impact

chainId may be outdated if the user changes chains as part of the connection flow. This means that the value of chainId returned by useWeb3React() may be incorrect. In an application, this means that any data derived from chainId could be incorrect.

For example, if a swapping application derives a wrapped token contract address from the chainId and a user has changed chains as part of their connection flow the application could cause the user to send funds to the incorrect address when wrapping. This is a common approach when using other foundational libraries like ethers, and most users of v8 will want to upgrade past the affected versions.

Patches

Patched in https://github.com/Uniswap/web3-react/pull/749. Users of web3-react@8.0.x-beta.0 should upgrade to at least: - @web3-react/coinbase-wallet@^8.0.35-beta.0 - @web3-react/eip1193@^8.0.27-beta.0 - @web3-react/metamask@^8.0.30-beta.0 - @web3-react/walletconnect@^8.0.37-beta.0

Workarounds

N/A

References

N/A

Database specific

{
    "nvd_published_at": "2023-04-17T22:15:10Z",
    "cwe_ids": [
        "CWE-362"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-04-18T22:29:53Z"
}

References

Affected packages

npm / @web3-react/coinbase-wallet

Package

Name: @web3-react/coinbase-wallet; View open source insights on deps.dev
Purl: pkg:npm/%40web3-react/coinbase-wallet

Affected ranges

Type: SEMVER
Events: Introduced

6.0.0

Fixed

8.0.35-beta.0

npm / @web3-react/eip1193

Package

Name: @web3-react/eip1193; View open source insights on deps.dev
Purl: pkg:npm/%40web3-react/eip1193

Affected ranges

Type: SEMVER
Events: Introduced

6.0.0

Fixed

8.0.27-beta

Database specific

{
    "last_known_affected_version_range": "< 8.0.27-beta.0"
}

npm / @web3-react/metamask

Package

Name: @web3-react/metamask; View open source insights on deps.dev
Purl: pkg:npm/%40web3-react/metamask

Affected ranges

Type: SEMVER
Events: Introduced

6.0.0

Fixed

8.0.30-beta.0

npm / @web3-react/walletconnect

Package

Name: @web3-react/walletconnect; View open source insights on deps.dev
Purl: pkg:npm/%40web3-react/walletconnect

Affected ranges

Type: SEMVER
Events: Introduced

6.0.0

Fixed

8.0.37-beta.0