{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2023-39363","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2023-07-28T13:26:46.480Z","datePublished":"2023-08-07T18:40:25.615Z","dateUpdated":"2024-10-11T14:05:03.824Z"},"containers":{"cna":{"title":"Vyper incorrectly allocated named re-entrancy locks","problemTypes":[{"descriptions":[{"cweId":"CWE-863","lang":"en","description":"CWE-863: Incorrect Authorization","type":"CWE"}]}],"metrics":[{"cvssV4_0":{"attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"PRESENT","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"HIGH","subAvailabilityImpact":"HIGH","baseScore":9.1,"baseSeverity":"CRITICAL","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H/E:A","version":"4.0"}}],"references":[{"name":"https://github.com/vyperlang/vyper/security/advisories/GHSA-5824-cm3x-3c38","tags":["x_refsource_CONFIRM"],"url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-5824-cm3x-3c38"},{"name":"https://github.com/vyperlang/vyper/pull/2439","tags":["x_refsource_MISC"],"url":"https://github.com/vyperlang/vyper/pull/2439"},{"name":"https://github.com/vyperlang/vyper/pull/2514","tags":["x_refsource_MISC"],"url":"https://github.com/vyperlang/vyper/pull/2514"},{"name":"https://hackmd.io/@LlamaRisk/BJzSKHNjn","tags":["x_refsource_MISC"],"url":"https://hackmd.io/@LlamaRisk/BJzSKHNjn"},{"name":"https://hackmd.io/@vyperlang/HJUgNMhs2","tags":["x_refsource_MISC"],"url":"https://hackmd.io/@vyperlang/HJUgNMhs2"}],"affected":[{"vendor":"vyperlang","product":"vyper","versions":[{"version":"= 0.2.15","status":"affected"},{"version":"= 0.2.16","status":"affected"},{"version":"= 0.3.0","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2024-10-11T14:05:03.824Z"},"descriptions":[{"lang":"en","value":"Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine (EVM). In versions 0.2.15, 0.2.16 and 0.3.0, named re-entrancy locks are allocated incorrectly. Each function using a named re-entrancy lock gets a unique lock regardless of the key, allowing cross-function re-entrancy in contracts compiled with the susceptible versions. A specific set of conditions is required to result in misbehavior of affected contracts, specifically: a `.vy` contract compiled with `vyper` versions `0.2.15`, `0.2.16`, or `0.3.0`; a primary function that utilizes the `@nonreentrant` decorator with a specific `key` and does not strictly follow the check-effects-interaction pattern (i.e. contains an external call to an untrusted party before storage updates); and a secondary function that utilizes the same `key` and would be affected by the improper state caused by the primary function. Version 0.3.1 contains a fix for this issue."}],"source":{"advisory":"GHSA-5824-cm3x-3c38","discovery":"UNKNOWN"}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-02T18:10:20.307Z"},"title":"CVE Program Container","references":[{"name":"https://github.com/vyperlang/vyper/security/advisories/GHSA-5824-cm3x-3c38","tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://github.com/vyperlang/vyper/security/advisories/GHSA-5824-cm3x-3c38"},{"name":"https://github.com/vyperlang/vyper/pull/2439","tags":["x_refsource_MISC","x_transferred"],"url":"https://github.com/vyperlang/vyper/pull/2439"},{"name":"https://github.com/vyperlang/vyper/pull/2514","tags":["x_refsource_MISC","x_transferred"],"url":"https://github.com/vyperlang/vyper/pull/2514"},{"name":"https://hackmd.io/@LlamaRisk/BJzSKHNjn","tags":["x_refsource_MISC","x_transferred"],"url":"https://hackmd.io/@LlamaRisk/BJzSKHNjn"},{"name":"https://hackmd.io/@vyperlang/HJUgNMhs2","tags":["x_refsource_MISC","x_transferred"],"url":"https://hackmd.io/@vyperlang/HJUgNMhs2"}]},{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2024-10-03T18:06:38.040646Z","id":"CVE-2023-39363","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-10-03T18:06:48.980Z"}}]}}