cvelistv5 - CVE-2023-32675

CVE-2023-32675 (GCVE-0-2023-32675)

Vulnerability from cvelistv5 – Published: 2023-05-19 19:46 – Updated: 2025-02-12 16:36

Summary

Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. In contracts with more than one regular nonpayable function, it is possible to send funds to the default function, even if the default function is marked `nonpayable`. This applies to contracts compiled with vyper versions prior to 0.3.8. This issue was fixed by the removal of the global `calldatasize` check in commit `02339dfda`. Users are advised to upgrade to version 0.3.8. Users unable to upgrade should avoid use of nonpayable default functions.

Severity ?

3.7 (Low)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE

CWE-670 - Always-Incorrect Control Flow Implementation

Assigner

GitHub_M

References

URL

Tags

	https://github.com/vyperlang/vyper/security/advis…	x_refsource_CONFIRM
	https://github.com/vyperlang/vyper/commit/02339df…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	vyperlang	vyper	Affected: < 0.3.8

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T15:25:36.340Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/vyperlang/vyper/security/advisories/GHSA-vxmm-cwh2-q762",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-vxmm-cwh2-q762"
          },
          {
            "name": "https://github.com/vyperlang/vyper/commit/02339dfda0f3caabad142060d511d10bfe93c520",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/vyperlang/vyper/commit/02339dfda0f3caabad142060d511d10bfe93c520"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-32675",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-21T17:07:30.282818Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-12T16:36:34.945Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "vyper",
          "vendor": "vyperlang",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.3.8"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. In contracts with more than one regular nonpayable function, it is possible to send funds to the default function, even if the default function is marked `nonpayable`. This applies to contracts compiled with vyper versions prior to 0.3.8. This issue was fixed by the removal of the global `calldatasize` check in commit `02339dfda`. Users are advised to upgrade to version 0.3.8. Users unable to upgrade should avoid use of nonpayable default functions."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-670",
              "description": "CWE-670: Always-Incorrect Control Flow Implementation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-10-04T13:48:07.129Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/vyperlang/vyper/security/advisories/GHSA-vxmm-cwh2-q762",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-vxmm-cwh2-q762"
        },
        {
          "name": "https://github.com/vyperlang/vyper/commit/02339dfda0f3caabad142060d511d10bfe93c520",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/vyperlang/vyper/commit/02339dfda0f3caabad142060d511d10bfe93c520"
        }
      ],
      "source": {
        "advisory": "GHSA-vxmm-cwh2-q762",
        "discovery": "UNKNOWN"
      },
      "title": "Nonpayable default functions are sometimes payable in vyper"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-32675",
    "datePublished": "2023-05-19T19:46:18.047Z",
    "dateReserved": "2023-05-11T16:33:45.730Z",
    "dateUpdated": "2025-02-12T16:36:34.945Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:vyperlang:vyper:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"0.3.8\", \"matchCriteriaId\": \"4E33CC4B-8A7D-4AB9-91C6-7B103ED59531\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. In contracts with more than one regular nonpayable function, it is possible to send funds to the default function, even if the default function is marked `nonpayable`. This applies to contracts compiled with vyper versions prior to 0.3.8. This issue was fixed by the removal of the global `calldatasize` check in commit `02339dfda`. Users are advised to upgrade to version 0.3.8. Users unable to upgrade should avoid use of nonpayable default functions.\"}]",
      "id": "CVE-2023-32675",
      "lastModified": "2024-11-21T08:03:49.630",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N\", \"baseScore\": 3.7, \"baseSeverity\": \"LOW\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.2, \"impactScore\": 1.4}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\", \"baseScore\": 5.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 1.4}]}",
      "published": "2023-05-19T20:15:09.230",
      "references": "[{\"url\": \"https://github.com/vyperlang/vyper/commit/02339dfda0f3caabad142060d511d10bfe93c520\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/vyperlang/vyper/security/advisories/GHSA-vxmm-cwh2-q762\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Exploit\", \"Patch\", \"Vendor Advisory\"]}, {\"url\": \"https://github.com/vyperlang/vyper/commit/02339dfda0f3caabad142060d511d10bfe93c520\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/vyperlang/vyper/security/advisories/GHSA-vxmm-cwh2-q762\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Patch\", \"Vendor Advisory\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-670\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-32675\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-05-19T20:15:09.230\",\"lastModified\":\"2024-11-21T08:03:49.630\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. In contracts with more than one regular nonpayable function, it is possible to send funds to the default function, even if the default function is marked `nonpayable`. This applies to contracts compiled with vyper versions prior to 0.3.8. This issue was fixed by the removal of the global `calldatasize` check in commit `02339dfda`. Users are advised to upgrade to version 0.3.8. Users unable to upgrade should avoid use of nonpayable default functions.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N\",\"baseScore\":3.7,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-670\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vyperlang:vyper:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.3.8\",\"matchCriteriaId\":\"4E33CC4B-8A7D-4AB9-91C6-7B103ED59531\"}]}]}],\"references\":[{\"url\":\"https://github.com/vyperlang/vyper/commit/02339dfda0f3caabad142060d511d10bfe93c520\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/vyperlang/vyper/security/advisories/GHSA-vxmm-cwh2-q762\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/vyperlang/vyper/commit/02339dfda0f3caabad142060d511d10bfe93c520\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/vyperlang/vyper/security/advisories/GHSA-vxmm-cwh2-q762\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Patch\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/vyperlang/vyper/security/advisories/GHSA-vxmm-cwh2-q762\", \"name\": \"https://github.com/vyperlang/vyper/security/advisories/GHSA-vxmm-cwh2-q762\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/vyperlang/vyper/commit/02339dfda0f3caabad142060d511d10bfe93c520\", \"name\": \"https://github.com/vyperlang/vyper/commit/02339dfda0f3caabad142060d511d10bfe93c520\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T15:25:36.340Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-32675\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-01-21T17:07:30.282818Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-12T16:36:27.785Z\"}}], \"cna\": {\"title\": \"Nonpayable default functions are sometimes payable in vyper\", \"source\": {\"advisory\": \"GHSA-vxmm-cwh2-q762\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 3.7, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"vyperlang\", \"product\": \"vyper\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.3.8\"}]}], \"references\": [{\"url\": \"https://github.com/vyperlang/vyper/security/advisories/GHSA-vxmm-cwh2-q762\", \"name\": \"https://github.com/vyperlang/vyper/security/advisories/GHSA-vxmm-cwh2-q762\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/vyperlang/vyper/commit/02339dfda0f3caabad142060d511d10bfe93c520\", \"name\": \"https://github.com/vyperlang/vyper/commit/02339dfda0f3caabad142060d511d10bfe93c520\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. In contracts with more than one regular nonpayable function, it is possible to send funds to the default function, even if the default function is marked `nonpayable`. This applies to contracts compiled with vyper versions prior to 0.3.8. This issue was fixed by the removal of the global `calldatasize` check in commit `02339dfda`. Users are advised to upgrade to version 0.3.8. Users unable to upgrade should avoid use of nonpayable default functions.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-670\", \"description\": \"CWE-670: Always-Incorrect Control Flow Implementation\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2023-10-04T13:48:07.129Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-32675\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-02-12T16:36:34.945Z\", \"dateReserved\": \"2023-05-11T16:33:45.730Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2023-05-19T19:46:18.047Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GHSA-VXMM-CWH2-Q762

Vulnerability from github – Published: 2023-05-22 20:35 – Updated: 2024-11-19 16:42

Summary

Vyper's nonpayable default functions are sometimes payable

Details

Impact

in contracts with at least one regular nonpayable function, due to the callvalue check being inside of the selector section, it is possible to send funds to the default function by using less than 4 bytes of calldata, even if the default function is marked nonpayable. this applies to contracts compiled with vyper<=0.3.7.

# @version 0.3.7

# implicitly nonpayable
@external
def foo() -> uint256:
    return 1

# implicitly nonpayable
@external
def __default__():
    # could receive ether here
    pass

Patches

this was fixed by the removal of the global calldatasize check in https://github.com/vyperlang/vyper/commit/02339dfda0f3caabad142060d511d10bfe93c520.

Workarounds

don't use nonpayable default functions

Severity ?

3.7 (Low)


                  
                    CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

6.3 (Medium)


                  
                    CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "vyper"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.3.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-32675"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-670"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-05-22T20:35:46Z",
    "nvd_published_at": "2023-05-19T20:15:09Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nin contracts with at least one regular nonpayable function, due to the callvalue check being inside of the selector section, it is possible to send funds to the default function by using less than 4 bytes of calldata, even if the default function is marked `nonpayable`. this applies to contracts compiled with vyper\u003c=0.3.7.\n```vyper\n# @version 0.3.7\n\n# implicitly nonpayable\n@external\ndef foo() -\u003e uint256:\n    return 1\n\n# implicitly nonpayable\n@external\ndef __default__():\n    # could receive ether here\n    pass\n```\n\n### Patches\nthis was fixed by the removal of the global calldatasize check in https://github.com/vyperlang/vyper/commit/02339dfda0f3caabad142060d511d10bfe93c520.\n\n### Workarounds\ndon\u0027t use nonpayable default functions\n\n",
  "id": "GHSA-vxmm-cwh2-q762",
  "modified": "2024-11-19T16:42:42Z",
  "published": "2023-05-22T20:35:46Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-vxmm-cwh2-q762"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32675"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vyperlang/vyper/commit/02339dfda0f3caabad142060d511d10bfe93c520"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vyperlang/vyper/commit/02339dfda0f3caabad142060d511d10bfe93c520."
    },
    {
      "type": "WEB",
      "url": "https://github.com/vyperlang/vyper/commit/903727006c1e5ebef99fa9fd5d51d62bd33d72a9"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-80.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vyperlang/vyper"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Vyper\u0027s nonpayable default functions are sometimes payable"
}

FKIE_CVE-2023-32675

Vulnerability from fkie_nvd - Published: 2023-05-19 20:15 - Updated: 2024-11-21 08:03

Severity ?

3.7 (Low) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/vyperlang/vyper/commit/02339dfda0f3caabad142060d511d10bfe93c520	Patch
security-advisories@github.com	https://github.com/vyperlang/vyper/security/advisories/GHSA-vxmm-cwh2-q762	Exploit, Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/vyperlang/vyper/commit/02339dfda0f3caabad142060d511d10bfe93c520	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/vyperlang/vyper/security/advisories/GHSA-vxmm-cwh2-q762	Exploit, Patch, Vendor Advisory

Impacted products

	Vendor	Product	Version
	vyperlang	vyper	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:vyperlang:vyper:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "4E33CC4B-8A7D-4AB9-91C6-7B103ED59531",
              "versionEndExcluding": "0.3.8",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. In contracts with more than one regular nonpayable function, it is possible to send funds to the default function, even if the default function is marked `nonpayable`. This applies to contracts compiled with vyper versions prior to 0.3.8. This issue was fixed by the removal of the global `calldatasize` check in commit `02339dfda`. Users are advised to upgrade to version 0.3.8. Users unable to upgrade should avoid use of nonpayable default functions."
    }
  ],
  "id": "CVE-2023-32675",
  "lastModified": "2024-11-21T08:03:49.630",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 3.7,
          "baseSeverity": "LOW",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 1.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-05-19T20:15:09.230",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/vyperlang/vyper/commit/02339dfda0f3caabad142060d511d10bfe93c520"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-vxmm-cwh2-q762"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/vyperlang/vyper/commit/02339dfda0f3caabad142060d511d10bfe93c520"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-vxmm-cwh2-q762"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-670"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

PYSEC-2023-80

Vulnerability from pysec - Published: 2023-05-19 20:15 - Updated: 2023-06-05 01:13

Details

Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. In contracts with more than one regular nonpayable function, it is possible to send funds to the default function, even if the default function is marked nonpayable. This applies to contracts compiled with vyper versions prior to 0.3.8. This issue was fixed by the removal of the global calldatasize check in commit 02339dfda. Users are advised to upgrade to version 0.3.8. Users unable to upgrade should avoid use of nonpayable default functions.

Impacted products

Name	purl
vyper	pkg:pypi/vyper

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "vyper",
        "purl": "pkg:pypi/vyper"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "02339dfda0f3caabad142060d511d10bfe93c520."
            }
          ],
          "repo": "https://github.com/vyperlang/vyper",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.3.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.1.0b1",
        "0.1.0b10",
        "0.1.0b11",
        "0.1.0b12",
        "0.1.0b13",
        "0.1.0b14",
        "0.1.0b15",
        "0.1.0b16",
        "0.1.0b17",
        "0.1.0b2",
        "0.1.0b3",
        "0.1.0b4",
        "0.1.0b5",
        "0.1.0b6",
        "0.1.0b7",
        "0.1.0b8",
        "0.1.0b9",
        "0.2.1",
        "0.2.10",
        "0.2.11",
        "0.2.12",
        "0.2.13",
        "0.2.14",
        "0.2.15",
        "0.2.16",
        "0.2.2",
        "0.2.3",
        "0.2.4",
        "0.2.5",
        "0.2.6",
        "0.2.7",
        "0.2.8",
        "0.2.9",
        "0.3.0",
        "0.3.1",
        "0.3.2",
        "0.3.3",
        "0.3.4",
        "0.3.5",
        "0.3.6",
        "0.3.7"
      ]
    }
  ],
  "aliases": [
    "CVE-2023-32675",
    "GHSA-vxmm-cwh2-q762"
  ],
  "details": "Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. In contracts with more than one regular nonpayable function, it is possible to send funds to the default function, even if the default function is marked `nonpayable`. This applies to contracts compiled with vyper versions prior to 0.3.8. This issue was fixed by the removal of the global `calldatasize` check in commit `02339dfda`. Users are advised to upgrade to version 0.3.8. Users unable to upgrade should avoid use of nonpayable default functions.",
  "id": "PYSEC-2023-80",
  "modified": "2023-06-05T01:13:03.140034Z",
  "published": "2023-05-19T20:15:00Z",
  "references": [
    {
      "type": "EVIDENCE",
      "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-vxmm-cwh2-q762"
    },
    {
      "type": "FIX",
      "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-vxmm-cwh2-q762"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-vxmm-cwh2-q762"
    },
    {
      "type": "FIX",
      "url": "https://github.com/vyperlang/vyper/commit/02339dfda0f3caabad142060d511d10bfe93c520."
    }
  ]
}

GSD-2023-32675

Vulnerability from gsd - Updated: 2023-12-13 01:20

Details

Aliases

CVE-2023-32675

Aliases

CVE-2023-32675

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-32675",
    "id": "GSD-2023-32675"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-32675"
      ],
      "details": "Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. In contracts with more than one regular nonpayable function, it is possible to send funds to the default function, even if the default function is marked `nonpayable`. This applies to contracts compiled with vyper versions prior to 0.3.8. This issue was fixed by the removal of the global `calldatasize` check in commit `02339dfda`. Users are advised to upgrade to version 0.3.8. Users unable to upgrade should avoid use of nonpayable default functions.",
      "id": "GSD-2023-32675",
      "modified": "2023-12-13T01:20:24.095024Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2023-32675",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "vyper",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003c 0.3.8"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "vyperlang"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. In contracts with more than one regular nonpayable function, it is possible to send funds to the default function, even if the default function is marked `nonpayable`. This applies to contracts compiled with vyper versions prior to 0.3.8. This issue was fixed by the removal of the global `calldatasize` check in commit `02339dfda`. Users are advised to upgrade to version 0.3.8. Users unable to upgrade should avoid use of nonpayable default functions."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-670",
                "lang": "eng",
                "value": "CWE-670: Always-Incorrect Control Flow Implementation"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/vyperlang/vyper/security/advisories/GHSA-vxmm-cwh2-q762",
            "refsource": "MISC",
            "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-vxmm-cwh2-q762"
          },
          {
            "name": "https://github.com/vyperlang/vyper/commit/02339dfda0f3caabad142060d511d10bfe93c520",
            "refsource": "MISC",
            "url": "https://github.com/vyperlang/vyper/commit/02339dfda0f3caabad142060d511d10bfe93c520"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-vxmm-cwh2-q762",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c0.3.8",
          "affected_versions": "All versions before 0.3.8",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-670",
            "CWE-937"
          ],
          "date": "2023-08-02",
          "description": "Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. In contracts with more than one regular nonpayable function, it is possible to send funds to the default function, even if the default function is marked `nonpayable`. This applies to contracts compiled with vyper versions prior to 0.3.8. This issue was fixed by the removal of the global `calldatasize` check in commit `02339dfda`. Users are advised to upgrade to version 0.3.8. Users unable to upgrade should avoid use of nonpayable default functions.",
          "fixed_versions": [
            "0.3.8"
          ],
          "identifier": "CVE-2023-32675",
          "identifiers": [
            "CVE-2023-32675",
            "GHSA-vxmm-cwh2-q762"
          ],
          "not_impacted": "All versions starting from 0.3.8",
          "package_slug": "pypi/vyper",
          "pubdate": "2023-05-19",
          "solution": "Upgrade to version 0.3.8 or above.",
          "title": "Always-Incorrect Control Flow Implementation",
          "urls": [
            "https://github.com/vyperlang/vyper/security/advisories/GHSA-vxmm-cwh2-q762",
            "https://nvd.nist.gov/vuln/detail/CVE-2023-32675",
            "https://github.com/vyperlang/vyper/commit/02339dfda0f3caabad142060d511d10bfe93c520",
            "https://github.com/vyperlang/vyper/commit/903727006c1e5ebef99fa9fd5d51d62bd33d72a9",
            "https://github.com/advisories/GHSA-vxmm-cwh2-q762"
          ],
          "uuid": "666e659c-a2d5-4a52-ab1f-b9fc44a1983a"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:vyperlang:vyper:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "0.3.8",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2023-32675"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. In contracts with more than one regular nonpayable function, it is possible to send funds to the default function, even if the default function is marked `nonpayable`. This applies to contracts compiled with vyper versions prior to 0.3.8. This issue was fixed by the removal of the global `calldatasize` check in commit `02339dfda`. Users are advised to upgrade to version 0.3.8. Users unable to upgrade should avoid use of nonpayable default functions."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-670"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/vyperlang/vyper/security/advisories/GHSA-vxmm-cwh2-q762",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Patch",
                "Vendor Advisory"
              ],
              "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-vxmm-cwh2-q762"
            },
            {
              "name": "https://github.com/vyperlang/vyper/commit/02339dfda0f3caabad142060d511d10bfe93c520",
              "refsource": "MISC",
              "tags": [
                "Patch"
              ],
              "url": "https://github.com/vyperlang/vyper/commit/02339dfda0f3caabad142060d511d10bfe93c520"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 1.4
        }
      },
      "lastModifiedDate": "2023-10-26T18:00Z",
      "publishedDate": "2023-05-19T20:15Z"
    }
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2023-32675 (GCVE-0-2023-32675)

GHSA-VXMM-CWH2-Q762

Impact

Patches

Workarounds

FKIE_CVE-2023-32675

PYSEC-2023-80

GSD-2023-32675

Tags

Sightings

Nomenclature