Search criteria
4 vulnerabilities by evm_project
CVE-2024-21629 (GCVE-0-2024-21629)
Vulnerability from cvelistv5 – Published: 2024-01-02 21:26 – Updated: 2025-06-17 20:29
VLAI?
Summary
Rust EVM is an Ethereum Virtual Machine interpreter. In `rust-evm`, a feature called `record_external_operation` was introduced, allowing library users to record custom gas changes. This feature can have some bogus interactions with the call stack. In particular, during finalization of a `CREATE` or `CREATE2`, in the case that the substack execution happens successfully, `rust-evm` will first commit the substate, and then call `record_external_operation(Write(out_code.len()))`. If `record_external_operation` later fails, this error is returned to the parent call stack, instead of `Succeeded`. Yet, the substate commitment already happened. This causes smart contracts able to commit state changes, when the parent caller contract receives zero address (which usually indicates that the execution has failed). This issue only impacts library users with custom `record_external_operation` that returns errors. The issue is patched in release 0.41.1. No known workarounds are available.
Severity ?
5.9 (Medium)
CWE
- CWE-703 - Improper Check or Handling of Exceptional Conditions
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| rust-ethereum | evm |
Affected:
< 0.41.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:27:36.116Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/rust-ethereum/evm/security/advisories/GHSA-27wg-99g8-2v4v",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/rust-ethereum/evm/security/advisories/GHSA-27wg-99g8-2v4v"
},
{
"name": "https://github.com/rust-ethereum/evm/pull/264",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/rust-ethereum/evm/pull/264"
},
{
"name": "https://github.com/rust-ethereum/evm/commit/d8991ec727ad0fb64fe9957a3cd307387a6701e4",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/rust-ethereum/evm/commit/d8991ec727ad0fb64fe9957a3cd307387a6701e4"
},
{
"name": "https://github.com/rust-ethereum/evm/blob/release-v041/src/executor/stack/executor.rs#L1012C25-L1012C69",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/rust-ethereum/evm/blob/release-v041/src/executor/stack/executor.rs#L1012C25-L1012C69"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-21629",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-09T18:39:02.463672Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T20:29:07.013Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "evm",
"vendor": "rust-ethereum",
"versions": [
{
"status": "affected",
"version": "\u003c 0.41.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Rust EVM is an Ethereum Virtual Machine interpreter. In `rust-evm`, a feature called `record_external_operation` was introduced, allowing library users to record custom gas changes. This feature can have some bogus interactions with the call stack. In particular, during finalization of a `CREATE` or `CREATE2`, in the case that the substack execution happens successfully, `rust-evm` will first commit the substate, and then call `record_external_operation(Write(out_code.len()))`. If `record_external_operation` later fails, this error is returned to the parent call stack, instead of `Succeeded`. Yet, the substate commitment already happened. This causes smart contracts able to commit state changes, when the parent caller contract receives zero address (which usually indicates that the execution has failed). This issue only impacts library users with custom `record_external_operation` that returns errors. The issue is patched in release 0.41.1. No known workarounds are available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-703",
"description": "CWE-703: Improper Check or Handling of Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-02T21:26:12.680Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rust-ethereum/evm/security/advisories/GHSA-27wg-99g8-2v4v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rust-ethereum/evm/security/advisories/GHSA-27wg-99g8-2v4v"
},
{
"name": "https://github.com/rust-ethereum/evm/pull/264",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rust-ethereum/evm/pull/264"
},
{
"name": "https://github.com/rust-ethereum/evm/commit/d8991ec727ad0fb64fe9957a3cd307387a6701e4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rust-ethereum/evm/commit/d8991ec727ad0fb64fe9957a3cd307387a6701e4"
},
{
"name": "https://github.com/rust-ethereum/evm/blob/release-v041/src/executor/stack/executor.rs#L1012C25-L1012C69",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rust-ethereum/evm/blob/release-v041/src/executor/stack/executor.rs#L1012C25-L1012C69"
}
],
"source": {
"advisory": "GHSA-27wg-99g8-2v4v",
"discovery": "UNKNOWN"
},
"title": "Erroneous handling of `record_external_operation` error return"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-21629",
"datePublished": "2024-01-02T21:26:12.680Z",
"dateReserved": "2023-12-29T03:00:44.954Z",
"dateUpdated": "2025-06-17T20:29:07.013Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-39354 (GCVE-0-2022-39354)
Vulnerability from cvelistv5 – Published: 2022-10-25 00:00 – Updated: 2025-04-23 16:43
VLAI?
Summary
SputnikVM, also called evm, is a Rust implementation of Ethereum Virtual Machine. A custom stateful precompile can use the `is_static` parameter to determine if the call is executed in a static context (via `STATICCALL`), and thus decide if stateful operations should be done. Prior to version 0.36.0, the passed `is_static` parameter was incorrect -- it was only set to `true` if the call came from a direct `STATICCALL` opcode. However, once a static call context is entered, it should stay static. The issue only impacts custom precompiles that actually uses `is_static`. For those affected, the issue can lead to possible incorrect state transitions. Version 0.36.0 contains a patch. There are no known workarounds.
Severity ?
5.9 (Medium)
CWE
- CWE-670 - Always-Incorrect Control Flow Implementation
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| rust-blockchain | evm |
Affected:
< 0.36.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:00:44.050Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/rust-blockchain/evm/security/advisories/GHSA-hhc4-47rh-cr34"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/rust-blockchain/evm/pull/133"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-39354",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T13:55:44.553418Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T16:43:37.219Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "evm",
"vendor": "rust-blockchain",
"versions": [
{
"status": "affected",
"version": "\u003c 0.36.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SputnikVM, also called evm, is a Rust implementation of Ethereum Virtual Machine. A custom stateful precompile can use the `is_static` parameter to determine if the call is executed in a static context (via `STATICCALL`), and thus decide if stateful operations should be done. Prior to version 0.36.0, the passed `is_static` parameter was incorrect -- it was only set to `true` if the call came from a direct `STATICCALL` opcode. However, once a static call context is entered, it should stay static. The issue only impacts custom precompiles that actually uses `is_static`. For those affected, the issue can lead to possible incorrect state transitions. Version 0.36.0 contains a patch. There are no known workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-670",
"description": "CWE-670: Always-Incorrect Control Flow Implementation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-25T00:00:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/rust-blockchain/evm/security/advisories/GHSA-hhc4-47rh-cr34"
},
{
"url": "https://github.com/rust-blockchain/evm/pull/133"
}
],
"source": {
"advisory": "GHSA-hhc4-47rh-cr34",
"discovery": "UNKNOWN"
},
"title": "evm has incorrect is_static parameter for custom stateful precompiles"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-39354",
"datePublished": "2022-10-25T00:00:00.000Z",
"dateReserved": "2022-09-02T00:00:00.000Z",
"dateUpdated": "2025-04-23T16:43:37.219Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-41153 (GCVE-0-2021-41153)
Vulnerability from cvelistv5 – Published: 2021-10-18 21:00 – Updated: 2024-08-04 02:59
VLAI?
Summary
The evm crate is a pure Rust implementation of Ethereum Virtual Machine. In `evm` crate `< 0.31.0`, `JUMPI` opcode's condition is checked after the destination validity check. However, according to Geth and OpenEthereum, the condition check should happen before the destination validity check. This is a **high** severity security advisory if you use `evm` crate for Ethereum mainnet. In this case, you should update your library dependency immediately to on or after `0.31.0`. This is a **low** severity security advisory if you use `evm` crate in Frontier or in a standalone blockchain, because there's no security exploit possible with this advisory. It is **not** recommended to update to on or after `0.31.0` until all the normal chain upgrade preparations have been done. If you use Frontier or other `pallet-evm` based Substrate blockchain, please ensure to update your `spec_version` before updating this. For other blockchains, please make sure to follow a hard-fork process before you update this.
Severity ?
8.7 (High)
CWE
- CWE-670 - Always-Incorrect Control Flow Implementation
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| rust-blockchain | evm |
Affected:
< 0.31.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T02:59:31.621Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/rust-blockchain/evm/security/advisories/GHSA-pvh2-pj76-4m96"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/rust-blockchain/evm/pull/67"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "evm",
"vendor": "rust-blockchain",
"versions": [
{
"status": "affected",
"version": "\u003c 0.31.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The evm crate is a pure Rust implementation of Ethereum Virtual Machine. In `evm` crate `\u003c 0.31.0`, `JUMPI` opcode\u0027s condition is checked after the destination validity check. However, according to Geth and OpenEthereum, the condition check should happen before the destination validity check. This is a **high** severity security advisory if you use `evm` crate for Ethereum mainnet. In this case, you should update your library dependency immediately to on or after `0.31.0`. This is a **low** severity security advisory if you use `evm` crate in Frontier or in a standalone blockchain, because there\u0027s no security exploit possible with this advisory. It is **not** recommended to update to on or after `0.31.0` until all the normal chain upgrade preparations have been done. If you use Frontier or other `pallet-evm` based Substrate blockchain, please ensure to update your `spec_version` before updating this. For other blockchains, please make sure to follow a hard-fork process before you update this."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-670",
"description": "CWE-670: Always-Incorrect Control Flow Implementation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-18T21:00:13",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rust-blockchain/evm/security/advisories/GHSA-pvh2-pj76-4m96"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rust-blockchain/evm/pull/67"
}
],
"source": {
"advisory": "GHSA-pvh2-pj76-4m96",
"discovery": "UNKNOWN"
},
"title": "Specification non-compliance in JUMPI",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-41153",
"STATE": "PUBLIC",
"TITLE": "Specification non-compliance in JUMPI"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "evm",
"version": {
"version_data": [
{
"version_value": "\u003c 0.31.0"
}
]
}
}
]
},
"vendor_name": "rust-blockchain"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The evm crate is a pure Rust implementation of Ethereum Virtual Machine. In `evm` crate `\u003c 0.31.0`, `JUMPI` opcode\u0027s condition is checked after the destination validity check. However, according to Geth and OpenEthereum, the condition check should happen before the destination validity check. This is a **high** severity security advisory if you use `evm` crate for Ethereum mainnet. In this case, you should update your library dependency immediately to on or after `0.31.0`. This is a **low** severity security advisory if you use `evm` crate in Frontier or in a standalone blockchain, because there\u0027s no security exploit possible with this advisory. It is **not** recommended to update to on or after `0.31.0` until all the normal chain upgrade preparations have been done. If you use Frontier or other `pallet-evm` based Substrate blockchain, please ensure to update your `spec_version` before updating this. For other blockchains, please make sure to follow a hard-fork process before you update this."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-670: Always-Incorrect Control Flow Implementation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/rust-blockchain/evm/security/advisories/GHSA-pvh2-pj76-4m96",
"refsource": "CONFIRM",
"url": "https://github.com/rust-blockchain/evm/security/advisories/GHSA-pvh2-pj76-4m96"
},
{
"name": "https://github.com/rust-blockchain/evm/pull/67",
"refsource": "MISC",
"url": "https://github.com/rust-blockchain/evm/pull/67"
}
]
},
"source": {
"advisory": "GHSA-pvh2-pj76-4m96",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-41153",
"datePublished": "2021-10-18T21:00:13",
"dateReserved": "2021-09-15T00:00:00",
"dateUpdated": "2024-08-04T02:59:31.621Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-29511 (GCVE-0-2021-29511)
Vulnerability from cvelistv5 – Published: 2021-05-12 17:15 – Updated: 2024-08-03 22:11
VLAI?
Summary
evm is a pure Rust implementation of Ethereum Virtual Machine. Prior to the patch, when executing specific EVM opcodes related to memory operations that use `evm_core::Memory::copy_large`, the `evm` crate can over-allocate memory when it is not needed, making it possible for an attacker to perform denial-of-service attack. The flaw was corrected in commit `19ade85`. Users should upgrade to `==0.21.1, ==0.23.1, ==0.24.1, ==0.25.1, >=0.26.1`. There are no workarounds. Please upgrade your `evm` crate version.
Severity ?
6.5 (Medium)
CWE
- CWE-770 - {"CWE-770":"Allocation of Resources Without Limits or Throttling"}
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| rust-blockchain | evm |
Affected:
< 0.21.1
Affected: = 0.22.0 Affected: = 0.23.0 Affected: = 0.24.0 Affected: = 0.25.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:11:05.441Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/rust-blockchain/evm/security/advisories/GHSA-4jwq-572w-4388"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/rust-blockchain/evm/commit/19ade858c430ab13eb562764a870ac9f8506f8dd"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://crates.io/crates/evm"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "evm",
"vendor": "rust-blockchain",
"versions": [
{
"status": "affected",
"version": "\u003c 0.21.1"
},
{
"status": "affected",
"version": "= 0.22.0"
},
{
"status": "affected",
"version": "= 0.23.0"
},
{
"status": "affected",
"version": "= 0.24.0"
},
{
"status": "affected",
"version": "= 0.25.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "evm is a pure Rust implementation of Ethereum Virtual Machine. Prior to the patch, when executing specific EVM opcodes related to memory operations that use `evm_core::Memory::copy_large`, the `evm` crate can over-allocate memory when it is not needed, making it possible for an attacker to perform denial-of-service attack. The flaw was corrected in commit `19ade85`. Users should upgrade to `==0.21.1, ==0.23.1, ==0.24.1, ==0.25.1, \u003e=0.26.1`. There are no workarounds. Please upgrade your `evm` crate version."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "{\"CWE-770\":\"Allocation of Resources Without Limits or Throttling\"}",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-12T17:15:11",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rust-blockchain/evm/security/advisories/GHSA-4jwq-572w-4388"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rust-blockchain/evm/commit/19ade858c430ab13eb562764a870ac9f8506f8dd"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://crates.io/crates/evm"
}
],
"source": {
"advisory": "GHSA-4jwq-572w-4388",
"discovery": "UNKNOWN"
},
"title": "Memory over-allocation in evm crate",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-29511",
"STATE": "PUBLIC",
"TITLE": "Memory over-allocation in evm crate"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "evm",
"version": {
"version_data": [
{
"version_value": "\u003c 0.21.1"
},
{
"version_value": "= 0.22.0"
},
{
"version_value": "= 0.23.0"
},
{
"version_value": "= 0.24.0"
},
{
"version_value": "= 0.25.0"
}
]
}
}
]
},
"vendor_name": "rust-blockchain"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "evm is a pure Rust implementation of Ethereum Virtual Machine. Prior to the patch, when executing specific EVM opcodes related to memory operations that use `evm_core::Memory::copy_large`, the `evm` crate can over-allocate memory when it is not needed, making it possible for an attacker to perform denial-of-service attack. The flaw was corrected in commit `19ade85`. Users should upgrade to `==0.21.1, ==0.23.1, ==0.24.1, ==0.25.1, \u003e=0.26.1`. There are no workarounds. Please upgrade your `evm` crate version."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "{\"CWE-770\":\"Allocation of Resources Without Limits or Throttling\"}"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/rust-blockchain/evm/security/advisories/GHSA-4jwq-572w-4388",
"refsource": "CONFIRM",
"url": "https://github.com/rust-blockchain/evm/security/advisories/GHSA-4jwq-572w-4388"
},
{
"name": "https://github.com/rust-blockchain/evm/commit/19ade858c430ab13eb562764a870ac9f8506f8dd",
"refsource": "MISC",
"url": "https://github.com/rust-blockchain/evm/commit/19ade858c430ab13eb562764a870ac9f8506f8dd"
},
{
"name": "https://crates.io/crates/evm",
"refsource": "MISC",
"url": "https://crates.io/crates/evm"
}
]
},
"source": {
"advisory": "GHSA-4jwq-572w-4388",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-29511",
"datePublished": "2021-05-12T17:15:11",
"dateReserved": "2021-03-30T00:00:00",
"dateUpdated": "2024-08-03T22:11:05.441Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}