CVE-2024-32648 - Vulnerability Details - OpenCVE

Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. Prior to version 0.3.0, default functions don't respect nonreentrancy keys and the lock isn't emitted. No vulnerable production contracts were found. Additionally, using a lock on a `default` function is a very sparsely used pattern. As such, the impact is low. Version 0.3.0 contains a patch for the issue.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Vyperlang	Vyper

Configuration 1 [-]

cpe:2.3:a:vyperlang:vyper:*:*:*:*:*:python:*:*

No data.

References

Link	Providers
https://github.com/vyperlang/vyper/commit/93287e5ac184b53b395c907d40701f721daf8177
https://github.com/vyperlang/vyper/issues/2455
https://github.com/vyperlang/vyper/security/advisories/GHSA-m2v9-w374-5hj9

History

Thu, 02 Jan 2025 23:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:vyperlang:vyper::::::python::*

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-04-25T17:48:32.135Z

Updated: 2024-08-02T02:13:40.467Z

Reserved: 2024-04-16T14:15:26.875Z

Link: CVE-2024-32648

Vulnrichment

Updated: 2024-04-25T19:31:46.461Z

NVD

Status : Analyzed

Published: 2024-04-25T18:15:09.157

Modified: 2025-01-02T22:43:19.753

Link: CVE-2024-32648

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-32648", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-04-16T14:15:26.875Z", "datePublished": "2024-04-25T17:48:32.135Z", "dateUpdated": "2024-08-02T02:13:40.467Z"}, "containers": {"cna": {"title": "vyper default functions don't respect nonreentrancy keys", "problemTypes": [{"descriptions": [{"cweId": "CWE-667", "lang": "en", "description": "CWE-667: Improper Locking", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/vyperlang/vyper/security/advisories/GHSA-m2v9-w374-5hj9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-m2v9-w374-5hj9"}, {"name": "https://github.com/vyperlang/vyper/issues/2455", "tags": ["x_refsource_MISC"], "url": "https://github.com/vyperlang/vyper/issues/2455"}, {"name": "https://github.com/vyperlang/vyper/commit/93287e5ac184b53b395c907d40701f721daf8177", "tags": ["x_refsource_MISC"], "url": "https://github.com/vyperlang/vyper/commit/93287e5ac184b53b395c907d40701f721daf8177"}], "affected": [{"vendor": "vyperlang", "product": "vyper", "versions": [{"version": "< 0.3.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-04-25T17:48:32.135Z"}, "descriptions": [{"lang": "en", "value": "Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. Prior to version 0.3.0, default functions don't respect nonreentrancy keys and the lock isn't emitted. No vulnerable production contracts were found. Additionally, using a lock on a `default` function is a very sparsely used pattern. As such, the impact is low. Version 0.3.0 contains a patch for the issue.\n"}], "source": {"advisory": "GHSA-m2v9-w374-5hj9", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-32648", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-25T19:30:39.358759Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:vyperlang:vyper:*:*:*:*:*:*:*:*"], "vendor": "vyperlang", "product": "vyper", "versions": [{"status": "affected", "version": "*"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:51:45.656Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:13:40.467Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/vyperlang/vyper/security/advisories/GHSA-m2v9-w374-5hj9", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-m2v9-w374-5hj9"}, {"name": "https://github.com/vyperlang/vyper/issues/2455", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/vyperlang/vyper/issues/2455"}, {"name": "https://github.com/vyperlang/vyper/commit/93287e5ac184b53b395c907d40701f721daf8177", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/vyperlang/vyper/commit/93287e5ac184b53b395c907d40701f721daf8177"}]}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-32648", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-04-16T14:15:26.875Z", "datePublished": "2024-04-25T17:48:32.135Z", "dateUpdated": "2024-06-04T17:51:45.656Z"}, "containers": {"cna": {"title": "vyper default functions don't respect nonreentrancy keys", "problemTypes": [{"descriptions": [{"cweId": "CWE-667", "lang": "en", "description": "CWE-667: Improper Locking", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/vyperlang/vyper/security/advisories/GHSA-m2v9-w374-5hj9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-m2v9-w374-5hj9"}, {"name": "https://github.com/vyperlang/vyper/issues/2455", "tags": ["x_refsource_MISC"], "url": "https://github.com/vyperlang/vyper/issues/2455"}, {"name": "https://github.com/vyperlang/vyper/commit/93287e5ac184b53b395c907d40701f721daf8177", "tags": ["x_refsource_MISC"], "url": "https://github.com/vyperlang/vyper/commit/93287e5ac184b53b395c907d40701f721daf8177"}], "affected": [{"vendor": "vyperlang", "product": "vyper", "versions": [{"version": "< 0.3.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-04-25T17:48:32.135Z"}, "descriptions": [{"lang": "en", "value": "Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. Prior to version 0.3.0, default functions don't respect nonreentrancy keys and the lock isn't emitted. No vulnerable production contracts were found. Additionally, using a lock on a `default` function is a very sparsely used pattern. As such, the impact is low. Version 0.3.0 contains a patch for the issue.\n"}], "source": {"advisory": "GHSA-m2v9-w374-5hj9", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-32648", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-25T19:30:39.358759Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:vyperlang:vyper:*:*:*:*:*:*:*:*"], "vendor": "vyperlang", "product": "vyper", "versions": [{"status": "affected", "version": "*"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-04-25T19:31:46.461Z"}, "title": "CISA ADP Vulnrichment"}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vyperlang:vyper:*:*:*:*:*:python:*:*", "matchCriteriaId": "65F778D8-E42E-4CDB-BF02-9406D65FD6B6", "versionEndExcluding": "0.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. Prior to version 0.3.0, default functions don't respect nonreentrancy keys and the lock isn't emitted. No vulnerable production contracts were found. Additionally, using a lock on a `default` function is a very sparsely used pattern. As such, the impact is low. Version 0.3.0 contains a patch for the issue.\n"}, {"lang": "es", "value": "Vyper es un lenguaje de contrato inteligente pit\u00f3nico para la m\u00e1quina virtual Ethereum. Antes de la versi\u00f3n 0.3.0, las funciones predeterminadas no respetan las claves que no son de reentrada y el bloqueo no se emite. No se encontraron contratos de producci\u00f3n vulnerables. Adem\u00e1s, usar un bloqueo en una funci\u00f3n \"predeterminada\" es un patr\u00f3n muy poco utilizado. Como tal, el impacto es bajo. La versi\u00f3n 0.3.0 contiene un parche para el problema."}], "id": "CVE-2024-32648", "lastModified": "2025-01-02T22:43:19.753", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-04-25T18:15:09.157", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/vyperlang/vyper/commit/93287e5ac184b53b395c907d40701f721daf8177"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/vyperlang/vyper/issues/2455"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-m2v9-w374-5hj9"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/vyperlang/vyper/commit/93287e5ac184b53b395c907d40701f721daf8177"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking"], "url": "https://github.com/vyperlang/vyper/issues/2455"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-m2v9-w374-5hj9"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-667"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-667"}], "source": "nvd@nist.gov", "type": "Primary"}]}