SCA: security update for vyper (GHSA-f5x6-7qgp-jhf3)

medium Tenable Self-Hosted Container Security Plugin ID 414308

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Vyper is a Pythonic programming language that targets the Ethereum Virtual Machine (EVM). Prior to version
0.3.10, the ecrecover precompile does not fill the output buffer if the signature does not verify.
However, the ecrecover builtin will still return whatever is at memory location 0. This means that the if
the compiler has been convinced to write to the 0 memory location with specially crafted data (generally,
this can happen with a hashmap access or immutable read) just before the ecrecover, a signature check
might pass on an invalid signature. Version 0.3.10 contains a patch for this issue. (CVE-2023-37902)

See Also

https://github.com/advisories/GHSA-f5x6-7qgp-jhf3

Plugin Details

Severity: Medium

ID: 414308

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 6/1/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 1.2

Percentile: 0.01

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2023-37902

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 4.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 6.9

Threat Score: 5.5

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 7/25/2023

Vulnerability Publication Date: 7/25/2023

Reference Information

CVE: CVE-2023-37902

cwe: CWE-252