SCA: security update for vyper (GHSA-vxmm-cwh2-q762)

medium Tenable Cloud Security Plugin ID 419611

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. In contracts with more than
one regular nonpayable function, it is possible to send funds to the default function, even if the default
function is marked `nonpayable`. This applies to contracts compiled with vyper versions prior to 0.3.8.
This issue was fixed by the removal of the global `calldatasize` check in commit `02339dfda`. Users are
advised to upgrade to version 0.3.8. Users unable to upgrade should avoid use of nonpayable default
functions. (CVE-2023-32675)

See Also

https://github.com/advisories/GHSA-vxmm-cwh2-q762

Plugin Details

Severity: Medium

ID: 419611

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 1.2

Percentile: 0.01

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2023-32675

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 4.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 6.3

Threat Score: 2.9

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/22/2023

Vulnerability Publication Date: 5/19/2023

Reference Information

CVE: CVE-2023-32675

cwe: CWE-670