GHSA-ph9x-4vc9-m39g
Vulnerability from github
Impact
Internal calls to internal functions with more than 1 default argument are compiled incorrectly. Depending on the number of arguments
provided in the call, the defaults are added not right-to-left, but left-to-right. If the types are incompatible,
typechecking is bypassed. In the bar() function in the following code, self.foo(13) is compiled to
self.foo(13,12) instead of self.foo(13,1337).
```vyper @internal def foo(a:uint256 = 12, b:uint256 = 1337): pass
@internal def bar(): self.foo(13) ```
note that at the time of publication, the ability to pass kwargs to internal functions is an undocumented feature that does not seem to be widely used.
Patches
patched in c3e68c302aa6e1429946473769dd1232145822ac
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
References
Are there any links users can visit to find out more?
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "vyper"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-32059"
],
"database_specific": {
"cwe_ids": [
"CWE-683"
],
"github_reviewed": true,
"github_reviewed_at": "2023-05-12T20:21:00Z",
"nvd_published_at": "2023-05-11T22:15:11Z",
"severity": "HIGH"
},
"details": "### Impact\n\nInternal calls to internal functions with more than 1 default argument are compiled incorrectly. Depending on the number of arguments\nprovided in the call, the defaults are added not right-to-left, but left-to-right. If the types are incompatible,\ntypechecking is bypassed. In the `bar()` function in the following code, `self.foo(13)` is compiled to\n`self.foo(13,12)` instead of `self.foo(13,1337)`.\n\n```vyper\n@internal\ndef foo(a:uint256 = 12, b:uint256 = 1337):\n pass\n\n@internal\ndef bar():\n self.foo(13)\n```\n\nnote that at the time of publication, the ability to pass kwargs to internal functions is an undocumented feature that does not seem to be widely used.\n\n### Patches\npatched in c3e68c302aa6e1429946473769dd1232145822ac\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\n### References\n_Are there any links users can visit to find out more?_\n",
"id": "GHSA-ph9x-4vc9-m39g",
"modified": "2023-06-05T21:16:32Z",
"published": "2023-05-12T20:21:00Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-ph9x-4vc9-m39g"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32059"
},
{
"type": "WEB",
"url": "https://github.com/vyperlang/vyper/commit/c3e68c302aa6e1429946473769dd1232145822ac"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-79.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/vyperlang/vyper"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Vyper vulnerable to incorrect ordering of arguments for kwargs passed to internal calls"
}
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.