CVE-2018-18920
Py-EVM is vulnerable to arbitrary bytecode injection
8.8
HIGH
CVSS 3.1
EPSS 0.71%
Description
Py-EVM v0.2.0-alpha.33 allows attackers to make a vm.execute_bytecode call that triggers computation._stack.values with '"stack": [100, 100, 0]' where b'\x' was expected, resulting in an execution failure because of an invalid opcode. This is reportedly related to "smart contracts can be executed indefinitely without gas being paid."
How to fix CVE-2018-18920
To remediate CVE-2018-18920, upgrade the affected package to a fixed version below.
- —no fix listed
- —no fix listed
- —upgrade to 0.2.0a33 or later
Is CVE-2018-18920 being exploited?
Low — EPSS is 0.7%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, <= 0.2.0-alpha\.33
- from 0, <= 0.2.0a33
- from 0, < 0.2.0a33
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |