cvelistv5 - CVE-2023-31146

CVE-2023-31146 (GCVE-0-2023-31146)

Vulnerability from cvelistv5 – Published: 2023-05-11 20:51 – Updated: 2025-01-24 16:02

Summary

Vyper is a Pythonic smart contract language for the Ethereum virtual machine. Prior to version 0.3.8, during codegen, the length word of a dynarray is written before the data, which can result in out-of-bounds array access in the case where the dynarray is on both the lhs and rhs of an assignment. The issue can cause data corruption across call frames. The expected behavior is to revert due to out-of-bounds array access. Version 0.3.8 contains a patch for this issue.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE

CWE-787 - Out-of-bounds Write

Assigner

GitHub_M

References

URL

Tags

	https://github.com/vyperlang/vyper/security/advis…	x_refsource_CONFIRM
	https://github.com/vyperlang/vyper/commit/4f8289a…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	vyperlang	vyper	Affected: < 0.3.8

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T14:45:25.685Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/vyperlang/vyper/security/advisories/GHSA-3p37-3636-q8wv",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-3p37-3636-q8wv"
          },
          {
            "name": "https://github.com/vyperlang/vyper/commit/4f8289a81206f767df1900ac48f485d90fc87edb",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/vyperlang/vyper/commit/4f8289a81206f767df1900ac48f485d90fc87edb"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.1,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "NONE",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2023-31146",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-24T15:59:53.354621Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-787",
                "description": "CWE-787 Out-of-bounds Write",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-24T16:02:08.702Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "vyper",
          "vendor": "vyperlang",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.3.8"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Vyper is a Pythonic smart contract language for the Ethereum virtual machine. Prior to version 0.3.8, during codegen, the length word of a dynarray is written before the data, which can result in out-of-bounds array access in the case where the dynarray is on both the lhs and rhs of an assignment. The issue can cause data corruption across call frames. The expected behavior is to revert due to out-of-bounds array access. Version 0.3.8 contains a patch for this issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-787",
              "description": "CWE-787: Out-of-bounds Write",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-05-11T20:51:51.666Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/vyperlang/vyper/security/advisories/GHSA-3p37-3636-q8wv",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-3p37-3636-q8wv"
        },
        {
          "name": "https://github.com/vyperlang/vyper/commit/4f8289a81206f767df1900ac48f485d90fc87edb",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/vyperlang/vyper/commit/4f8289a81206f767df1900ac48f485d90fc87edb"
        }
      ],
      "source": {
        "advisory": "GHSA-3p37-3636-q8wv",
        "discovery": "UNKNOWN"
      },
      "title": "Vyper vulnerable to OOB DynArray access when array is on both LHS and RHS of an assignment"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-31146",
    "datePublished": "2023-05-11T20:51:51.666Z",
    "dateReserved": "2023-04-24T21:44:10.418Z",
    "dateUpdated": "2025-01-24T16:02:08.702Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:vyperlang:vyper:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"0.3.8\", \"matchCriteriaId\": \"4E33CC4B-8A7D-4AB9-91C6-7B103ED59531\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Vyper is a Pythonic smart contract language for the Ethereum virtual machine. Prior to version 0.3.8, during codegen, the length word of a dynarray is written before the data, which can result in out-of-bounds array access in the case where the dynarray is on both the lhs and rhs of an assignment. The issue can cause data corruption across call frames. The expected behavior is to revert due to out-of-bounds array access. Version 0.3.8 contains a patch for this issue.\"}]",
      "id": "CVE-2023-31146",
      "lastModified": "2024-11-21T08:01:29.300",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H\", \"baseScore\": 9.1, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.2}]}",
      "published": "2023-05-11T21:15:10.240",
      "references": "[{\"url\": \"https://github.com/vyperlang/vyper/commit/4f8289a81206f767df1900ac48f485d90fc87edb\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/vyperlang/vyper/security/advisories/GHSA-3p37-3636-q8wv\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Exploit\", \"Vendor Advisory\"]}, {\"url\": \"https://github.com/vyperlang/vyper/commit/4f8289a81206f767df1900ac48f485d90fc87edb\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/vyperlang/vyper/security/advisories/GHSA-3p37-3636-q8wv\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Vendor Advisory\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-787\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-31146\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-05-11T21:15:10.240\",\"lastModified\":\"2025-01-24T16:15:32.803\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Vyper is a Pythonic smart contract language for the Ethereum virtual machine. Prior to version 0.3.8, during codegen, the length word of a dynarray is written before the data, which can result in out-of-bounds array access in the case where the dynarray is on both the lhs and rhs of an assignment. The issue can cause data corruption across call frames. The expected behavior is to revert due to out-of-bounds array access. Version 0.3.8 contains a patch for this issue.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H\",\"baseScore\":9.1,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.2},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H\",\"baseScore\":9.1,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-787\"}]},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-787\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vyperlang:vyper:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.3.8\",\"matchCriteriaId\":\"4E33CC4B-8A7D-4AB9-91C6-7B103ED59531\"}]}]}],\"references\":[{\"url\":\"https://github.com/vyperlang/vyper/commit/4f8289a81206f767df1900ac48f485d90fc87edb\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/vyperlang/vyper/security/advisories/GHSA-3p37-3636-q8wv\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/vyperlang/vyper/commit/4f8289a81206f767df1900ac48f485d90fc87edb\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/vyperlang/vyper/security/advisories/GHSA-3p37-3636-q8wv\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/vyperlang/vyper/security/advisories/GHSA-3p37-3636-q8wv\", \"name\": \"https://github.com/vyperlang/vyper/security/advisories/GHSA-3p37-3636-q8wv\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/vyperlang/vyper/commit/4f8289a81206f767df1900ac48f485d90fc87edb\", \"name\": \"https://github.com/vyperlang/vyper/commit/4f8289a81206f767df1900ac48f485d90fc87edb\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T14:45:25.685Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-31146\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-01-24T15:59:53.354621Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-787\", \"description\": \"CWE-787 Out-of-bounds Write\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-01-24T16:02:00.623Z\"}}], \"cna\": {\"title\": \"Vyper vulnerable to OOB DynArray access when array is on both LHS and RHS of an assignment\", \"source\": {\"advisory\": \"GHSA-3p37-3636-q8wv\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"vyperlang\", \"product\": \"vyper\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.3.8\"}]}], \"references\": [{\"url\": \"https://github.com/vyperlang/vyper/security/advisories/GHSA-3p37-3636-q8wv\", \"name\": \"https://github.com/vyperlang/vyper/security/advisories/GHSA-3p37-3636-q8wv\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/vyperlang/vyper/commit/4f8289a81206f767df1900ac48f485d90fc87edb\", \"name\": \"https://github.com/vyperlang/vyper/commit/4f8289a81206f767df1900ac48f485d90fc87edb\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Vyper is a Pythonic smart contract language for the Ethereum virtual machine. Prior to version 0.3.8, during codegen, the length word of a dynarray is written before the data, which can result in out-of-bounds array access in the case where the dynarray is on both the lhs and rhs of an assignment. The issue can cause data corruption across call frames. The expected behavior is to revert due to out-of-bounds array access. Version 0.3.8 contains a patch for this issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-787\", \"description\": \"CWE-787: Out-of-bounds Write\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2023-05-11T20:51:51.666Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-31146\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-01-24T16:02:08.702Z\", \"dateReserved\": \"2023-04-24T21:44:10.418Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2023-05-11T20:51:51.666Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GHSA-3P37-3636-Q8WV

Vulnerability from github – Published: 2023-05-12 20:21 – Updated: 2024-11-19 16:32

Summary

Vyper vulnerable to OOB DynArray access when array is on both LHS and RHS of an assignment

Details

Impact

during codegen, the length word of a dynarray is written before the data, which can result in OOB array access in the case where the dynarray is on both the lhs and rhs of an assignment. here is a minimal example producing the issue:

a:DynArray[uint256,3]
@external
def test() -> DynArray[uint256,3]:
    self.a = [1,2,3]
    self.a = empty(DynArray[uint256,3])
    self.a = [self.a[0],self.a[1],self.a[2]]
    return self.a # return [1,2,3]

and here is an example demonstrating the issue can cause data corruption across call frames:

@external
def test() -> DynArray[uint256,3]:
    self.a()
    return self.b() # return [1,2,3]

@internal
def a():
    a: uint256 = 0    
    b: uint256 = 1    
    c: uint256 = 2    
    d: uint256 = 3

@internal
def b() -> DynArray[uint256,3]:
    a: DynArray[uint256,3] = empty(DynArray[uint256,3])
    a = [a[0],a[1],a[2]]
    return a

examples involving append and pop:

@internal
def foo():
    c: DynArray[uint256, 1] = []
    c.append(c[0])

@internal
def foo():
    c: DynArray[uint256, 1] = [1]
    c[0] = c.pop()

the expected behavior in all of the above cases is to revert due to oob array access.

Patches

patched in 4f8289a81206f767df1900ac48f485d90fc87edb

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

References

Are there any links users can visit to find out more?

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

8.7 (High)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "vyper"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.3.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-31146"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-787"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-05-12T20:21:54Z",
    "nvd_published_at": "2023-05-11T21:15:10Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nduring codegen, the length word of a dynarray is written before the data, which can result in OOB array access in the case where the dynarray is on both the lhs and rhs of an assignment. here is a minimal example producing the issue:\n```vyper\na:DynArray[uint256,3]\n@external\ndef test() -\u003e DynArray[uint256,3]:\n    self.a = [1,2,3]\n    self.a = empty(DynArray[uint256,3])\n    self.a = [self.a[0],self.a[1],self.a[2]]\n    return self.a # return [1,2,3]\n```\n\nand here is an example demonstrating the issue can cause data corruption across call frames:\n\n```vyper\n@external\ndef test() -\u003e DynArray[uint256,3]:\n    self.a()\n    return self.b() # return [1,2,3]\n\n@internal\ndef a():\n    a: uint256 = 0    \n    b: uint256 = 1    \n    c: uint256 = 2    \n    d: uint256 = 3\n\n@internal\ndef b() -\u003e DynArray[uint256,3]:\n    a: DynArray[uint256,3] = empty(DynArray[uint256,3])\n    a = [a[0],a[1],a[2]]\n    return a\n```\n\nexamples involving append and pop:\n```vyper\n@internal\ndef foo():\n    c: DynArray[uint256, 1] = []\n    c.append(c[0])\n```\n\n```vyper\n@internal\ndef foo():\n    c: DynArray[uint256, 1] = [1]\n    c[0] = c.pop()\n```\n\nthe expected behavior in all of the above cases is to revert due to oob array access.\n\n### Patches\npatched in 4f8289a81206f767df1900ac48f485d90fc87edb\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\n### References\n_Are there any links users can visit to find out more?_\n",
  "id": "GHSA-3p37-3636-q8wv",
  "modified": "2024-11-19T16:32:12Z",
  "published": "2023-05-12T20:21:54Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-3p37-3636-q8wv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31146"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vyperlang/vyper/commit/4f8289a81206f767df1900ac48f485d90fc87edb"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-77.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vyperlang/vyper"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Vyper vulnerable to OOB DynArray access when array is on both LHS and RHS of an assignment"
}

FKIE_CVE-2023-31146

Vulnerability from fkie_nvd - Published: 2023-05-11 21:15 - Updated: 2025-01-24 16:15

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/vyperlang/vyper/commit/4f8289a81206f767df1900ac48f485d90fc87edb	Patch
security-advisories@github.com	https://github.com/vyperlang/vyper/security/advisories/GHSA-3p37-3636-q8wv	Exploit, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/vyperlang/vyper/commit/4f8289a81206f767df1900ac48f485d90fc87edb	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/vyperlang/vyper/security/advisories/GHSA-3p37-3636-q8wv	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	vyperlang	vyper	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:vyperlang:vyper:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "4E33CC4B-8A7D-4AB9-91C6-7B103ED59531",
              "versionEndExcluding": "0.3.8",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Vyper is a Pythonic smart contract language for the Ethereum virtual machine. Prior to version 0.3.8, during codegen, the length word of a dynarray is written before the data, which can result in out-of-bounds array access in the case where the dynarray is on both the lhs and rhs of an assignment. The issue can cause data corruption across call frames. The expected behavior is to revert due to out-of-bounds array access. Version 0.3.8 contains a patch for this issue."
    }
  ],
  "id": "CVE-2023-31146",
  "lastModified": "2025-01-24T16:15:32.803",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.1,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.2,
        "source": "nvd@nist.gov",
        "type": "Primary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.1,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.2,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2023-05-11T21:15:10.240",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/vyperlang/vyper/commit/4f8289a81206f767df1900ac48f485d90fc87edb"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-3p37-3636-q8wv"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/vyperlang/vyper/commit/4f8289a81206f767df1900ac48f485d90fc87edb"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-3p37-3636-q8wv"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-787"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-787"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}

PYSEC-2023-77

Vulnerability from pysec - Published: 2023-05-11 21:15 - Updated: 2023-06-05 01:13

Details

Impacted products

Name	purl
vyper	pkg:pypi/vyper

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "vyper",
        "purl": "pkg:pypi/vyper"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4f8289a81206f767df1900ac48f485d90fc87edb"
            }
          ],
          "repo": "https://github.com/vyperlang/vyper",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.3.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.1.0b1",
        "0.1.0b10",
        "0.1.0b11",
        "0.1.0b12",
        "0.1.0b13",
        "0.1.0b14",
        "0.1.0b15",
        "0.1.0b16",
        "0.1.0b17",
        "0.1.0b2",
        "0.1.0b3",
        "0.1.0b4",
        "0.1.0b5",
        "0.1.0b6",
        "0.1.0b7",
        "0.1.0b8",
        "0.1.0b9",
        "0.2.1",
        "0.2.10",
        "0.2.11",
        "0.2.12",
        "0.2.13",
        "0.2.14",
        "0.2.15",
        "0.2.16",
        "0.2.2",
        "0.2.3",
        "0.2.4",
        "0.2.5",
        "0.2.6",
        "0.2.7",
        "0.2.8",
        "0.2.9",
        "0.3.0",
        "0.3.1",
        "0.3.2",
        "0.3.3",
        "0.3.4",
        "0.3.5",
        "0.3.6",
        "0.3.7"
      ]
    }
  ],
  "aliases": [
    "CVE-2023-31146",
    "GHSA-3p37-3636-q8wv"
  ],
  "details": "Vyper is a Pythonic smart contract language for the Ethereum virtual machine. Prior to version 0.3.8, during codegen, the length word of a dynarray is written before the data, which can result in out-of-bounds array access in the case where the dynarray is on both the lhs and rhs of an assignment. The issue can cause data corruption across call frames. The expected behavior is to revert due to out-of-bounds array access. Version 0.3.8 contains a patch for this issue.",
  "id": "PYSEC-2023-77",
  "modified": "2023-06-05T01:13:02.500642Z",
  "published": "2023-05-11T21:15:00Z",
  "references": [
    {
      "type": "EVIDENCE",
      "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-3p37-3636-q8wv"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-3p37-3636-q8wv"
    },
    {
      "type": "FIX",
      "url": "https://github.com/vyperlang/vyper/commit/4f8289a81206f767df1900ac48f485d90fc87edb"
    }
  ]
}

GSD-2023-31146

Vulnerability from gsd - Updated: 2023-12-13 01:20

Details

Aliases

CVE-2023-31146

Aliases

CVE-2023-31146

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-31146",
    "id": "GSD-2023-31146"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-31146"
      ],
      "details": "Vyper is a Pythonic smart contract language for the Ethereum virtual machine. Prior to version 0.3.8, during codegen, the length word of a dynarray is written before the data, which can result in out-of-bounds array access in the case where the dynarray is on both the lhs and rhs of an assignment. The issue can cause data corruption across call frames. The expected behavior is to revert due to out-of-bounds array access. Version 0.3.8 contains a patch for this issue.",
      "id": "GSD-2023-31146",
      "modified": "2023-12-13T01:20:30.347643Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2023-31146",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "vyper",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003c 0.3.8"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "vyperlang"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Vyper is a Pythonic smart contract language for the Ethereum virtual machine. Prior to version 0.3.8, during codegen, the length word of a dynarray is written before the data, which can result in out-of-bounds array access in the case where the dynarray is on both the lhs and rhs of an assignment. The issue can cause data corruption across call frames. The expected behavior is to revert due to out-of-bounds array access. Version 0.3.8 contains a patch for this issue."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-787",
                "lang": "eng",
                "value": "CWE-787: Out-of-bounds Write"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/vyperlang/vyper/security/advisories/GHSA-3p37-3636-q8wv",
            "refsource": "MISC",
            "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-3p37-3636-q8wv"
          },
          {
            "name": "https://github.com/vyperlang/vyper/commit/4f8289a81206f767df1900ac48f485d90fc87edb",
            "refsource": "MISC",
            "url": "https://github.com/vyperlang/vyper/commit/4f8289a81206f767df1900ac48f485d90fc87edb"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-3p37-3636-q8wv",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c0.3.8",
          "affected_versions": "All versions before 0.3.8",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-787",
            "CWE-937"
          ],
          "date": "2023-08-02",
          "description": "Vyper is a Pythonic smart contract language for the Ethereum virtual machine. Prior to version 0.3.8, during codegen, the length word of a dynarray is written before the data, which can result in out-of-bounds array access in the case where the dynarray is on both the lhs and rhs of an assignment. The issue can cause data corruption across call frames. The expected behavior is to revert due to out-of-bounds array access. Version 0.3.8 contains a patch for this issue.",
          "fixed_versions": [
            "0.3.8"
          ],
          "identifier": "CVE-2023-31146",
          "identifiers": [
            "CVE-2023-31146",
            "GHSA-3p37-3636-q8wv"
          ],
          "not_impacted": "All versions starting from 0.3.8",
          "package_slug": "pypi/vyper",
          "pubdate": "2023-05-11",
          "solution": "Upgrade to version 0.3.8 or above.",
          "title": "Out-of-bounds Write",
          "urls": [
            "https://github.com/vyperlang/vyper/security/advisories/GHSA-3p37-3636-q8wv",
            "https://nvd.nist.gov/vuln/detail/CVE-2023-31146",
            "https://github.com/vyperlang/vyper/commit/4f8289a81206f767df1900ac48f485d90fc87edb",
            "https://github.com/advisories/GHSA-3p37-3636-q8wv"
          ],
          "uuid": "ac40d968-9442-42b7-83df-85a4be1fccb1"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:vyperlang:vyper:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "0.3.8",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2023-31146"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Vyper is a Pythonic smart contract language for the Ethereum virtual machine. Prior to version 0.3.8, during codegen, the length word of a dynarray is written before the data, which can result in out-of-bounds array access in the case where the dynarray is on both the lhs and rhs of an assignment. The issue can cause data corruption across call frames. The expected behavior is to revert due to out-of-bounds array access. Version 0.3.8 contains a patch for this issue."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-787"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/vyperlang/vyper/security/advisories/GHSA-3p37-3636-q8wv",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Vendor Advisory"
              ],
              "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-3p37-3636-q8wv"
            },
            {
              "name": "https://github.com/vyperlang/vyper/commit/4f8289a81206f767df1900ac48f485d90fc87edb",
              "refsource": "MISC",
              "tags": [
                "Patch"
              ],
              "url": "https://github.com/vyperlang/vyper/commit/4f8289a81206f767df1900ac48f485d90fc87edb"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 5.2
        }
      },
      "lastModifiedDate": "2023-08-02T16:22Z",
      "publishedDate": "2023-05-11T21:15Z"
    }
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2023-31146 (GCVE-0-2023-31146)

GHSA-3P37-3636-Q8WV

Impact

Patches

Workarounds

References

FKIE_CVE-2023-31146

PYSEC-2023-77

GSD-2023-31146

Tags

Sightings

Nomenclature