CVE-2023-30543
`chainId` may be outdated if user changes chains as part of connection in @web3-react
描述
### Impact `chainId` may be outdated if the user changes chains as part of the connection flow. This means that the value of `chainId` returned by `useWeb3React()` may be incorrect. In an application, this means that any data derived from `chainId` could be incorrect. For example, if a swapping application derives a wrapped token contract address from the `chainId` *and* a user has changed chains as part of their connection flow the application could cause the user to send funds to the incorrect address when wrapping. This is a common approach when using other foundational libraries like [`ethers`](https://github.com/ethers-io/ethers.js), and most users of v8 will want to upgrade past the affected versions. ### Patches Patched in https://github.com/Uniswap/web3-react/pull/749. Users of [email protected] should upgrade to at least: - @web3-react/coinbase-wallet@^8.0.35-beta.0 - @web3-react/eip1193@^8.0.27-beta.0 - @web3-react/metamask@^8.0.30-beta.0 - @web3-react/walletconnect@^8.0.37-beta.0 ### Workarounds N/A ### References N/A
如何修補 CVE-2023-30543
要修補 CVE-2023-30543,請將受影響套件升級到下列已修補版本。
- —升級至 8.0.35-beta.0 或更新版本
- —升級至 8.0.27-beta 或更新版本
- —升級至 8.0.30-beta.0 或更新版本
- —升級至 8.0.37-beta.0 或更新版本
CVE-2023-30543 正在被利用嗎?
低 — EPSS 為 0.2%,目前沒有觀察到大規模利用活動。
受影響套件(4)
- >= 6.0.0, < 8.0.35-beta.0
- >= 6.0.0, < 8.0.27-beta
- >= 6.0.0, < 8.0.30-beta.0
- >= 6.0.0, < 8.0.37-beta.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.2 | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:L |