GHSA-PH9X-4VC9-M39G

Vulnerability from github – Published: 2023-05-12 20:21 – Updated: 2024-11-19 16:33
VLAI?
Summary
Vyper vulnerable to incorrect ordering of arguments for kwargs passed to internal calls
Details

Impact

Internal calls to internal functions with more than 1 default argument are compiled incorrectly. Depending on the number of arguments provided in the call, the defaults are added not right-to-left, but left-to-right. If the types are incompatible, typechecking is bypassed. In the bar() function in the following code, self.foo(13) is compiled to self.foo(13,12) instead of self.foo(13,1337).

@internal
def foo(a:uint256 = 12, b:uint256 = 1337):
    pass

@internal
def bar():
    self.foo(13)

note that at the time of publication, the ability to pass kwargs to internal functions is an undocumented feature that does not seem to be widely used.

Patches

patched in c3e68c302aa6e1429946473769dd1232145822ac

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

References

Are there any links users can visit to find out more?

Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
8.7 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "vyper"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.3.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-32059"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-683"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-05-12T20:21:00Z",
    "nvd_published_at": "2023-05-11T22:15:11Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nInternal calls to internal functions with more than 1 default argument are compiled incorrectly. Depending on the number of arguments\nprovided in the call, the defaults are added not right-to-left, but left-to-right. If the types are incompatible,\ntypechecking is bypassed. In the `bar()` function in the following code, `self.foo(13)` is compiled to\n`self.foo(13,12)` instead of `self.foo(13,1337)`.\n\n```vyper\n@internal\ndef foo(a:uint256 = 12, b:uint256 = 1337):\n    pass\n\n@internal\ndef bar():\n    self.foo(13)\n```\n\nnote that at the time of publication, the ability to pass kwargs to internal functions is an undocumented feature that does not seem to be widely used.\n\n### Patches\npatched in c3e68c302aa6e1429946473769dd1232145822ac\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\n### References\n_Are there any links users can visit to find out more?_\n",
  "id": "GHSA-ph9x-4vc9-m39g",
  "modified": "2024-11-19T16:33:02Z",
  "published": "2023-05-12T20:21:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-ph9x-4vc9-m39g"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32059"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vyperlang/vyper/commit/c3e68c302aa6e1429946473769dd1232145822ac"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-79.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vyperlang/vyper"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Vyper vulnerable to incorrect ordering of arguments for kwargs passed to internal calls"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.