cvelistv5 - cve-2022-29255

▼	URL	Tags
	security-advisories@github.com	https://github.com/vyperlang/vyper/commit/6b4d8ff185de071252feaa1c319712b2d6577f8d	Patch, Third Party Advisory
	security-advisories@github.com	https://github.com/vyperlang/vyper/security/advisories/GHSA-4v9q-cgpw-cf38	Exploit, Mitigation, Third Party Advisory

▼	Vendor	Product
	vyperlang	vyper

ghsa-4v9q-cgpw-cf38

Vulnerability from github

Published

2022-06-06 21:23

Modified

2023-06-03 00:38

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Summary

Multiple evaluation of contract address in call in vyper

Details

Impact

when a calling an external contract with no return value, the contract address could be evaluated twice. this is usually only an efficiency problem, but if evaluation of the contract address has side effects, it could result in double evaluation of the side effects.

in the following example, Foo(msg.sender).bar() is the contract address for the following call (to .foo()), and could get evaluated twice

```vyper interface Foo: def foo(): nonpayable def bar() -> address: nonpayable

@external def do_stuff(): Foo(Foo(msg.sender).bar()).foo() ```

Patches

6b4d8ff185de071252feaa1c319712b2d6577f8d

Workarounds

assign contract addresses to variables. the above example would change to vyper @external def do_stuff(): t: Foo = Foo(msg.sender).bar() t.foo()

References

For more information

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "ecosystem_specific": {
        "affected_functions": [
          "vyper.codegen.external_call.ir_for_external_call"
        ]
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "vyper"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.3.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-29255"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-670"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-06T21:23:58Z",
    "nvd_published_at": "2022-06-09T09:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nwhen a calling an external contract with no return value, the contract address could be evaluated twice. this is usually only an efficiency problem, but if evaluation of the contract address has side effects, it could result in double evaluation of the side effects.\n\nin the following example, `Foo(msg.sender).bar()` is the contract address for the following call (to `.foo()`), and could get evaluated twice\n\n```vyper\ninterface Foo:\n    def foo(): nonpayable\n    def bar() -\u003e address: nonpayable\n\n@external\ndef do_stuff():\n    Foo(Foo(msg.sender).bar()).foo()\n```\n\n### Patches\n6b4d8ff185de071252feaa1c319712b2d6577f8d\n\n### Workarounds\nassign contract addresses to variables. the above example would change to\n```vyper\n@external\ndef do_stuff():\n    t: Foo = Foo(msg.sender).bar()\n    t.foo()\n```\n\n### References\n\n### For more information\n",
  "id": "GHSA-4v9q-cgpw-cf38",
  "modified": "2023-06-03T00:38:54Z",
  "published": "2022-06-06T21:23:58Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-4v9q-cgpw-cf38"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29255"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vyperlang/vyper/commit/6b4d8ff185de071252feaa1c319712b2d6577f8d"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2022-43053.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vyperlang/vyper"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Multiple evaluation of contract address in call in vyper"
}

pysec-2022-43053

Vulnerability from pysec

Published

2022-06-09 09:15

Modified

2023-08-02 18:28

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

Vyper is a Pythonic Smart Contract Language for the ethereum virtual machine. In versions prior to 0.3.4 when a calling an external contract with no return value, the contract address (including side effects) could be evaluated twice. This may result in incorrect outcomes for contracts. This issue has been addressed in v0.3.4.

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "vyper",
        "purl": "pkg:pypi/vyper"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6b4d8ff185de071252feaa1c319712b2d6577f8d"
            }
          ],
          "repo": "https://github.com/vyperlang/vyper",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.3.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.1.0b1",
        "0.1.0b10",
        "0.1.0b11",
        "0.1.0b12",
        "0.1.0b13",
        "0.1.0b14",
        "0.1.0b15",
        "0.1.0b16",
        "0.1.0b17",
        "0.1.0b2",
        "0.1.0b3",
        "0.1.0b4",
        "0.1.0b5",
        "0.1.0b6",
        "0.1.0b7",
        "0.1.0b8",
        "0.1.0b9",
        "0.2.1",
        "0.2.10",
        "0.2.11",
        "0.2.12",
        "0.2.13",
        "0.2.14",
        "0.2.15",
        "0.2.16",
        "0.2.2",
        "0.2.3",
        "0.2.4",
        "0.2.5",
        "0.2.6",
        "0.2.7",
        "0.2.8",
        "0.2.9",
        "0.3.0",
        "0.3.1",
        "0.3.2",
        "0.3.3"
      ]
    }
  ],
  "aliases": [
    "CVE-2022-29255",
    "GHSA-4v9q-cgpw-cf38"
  ],
  "details": "Vyper is a Pythonic Smart Contract Language for the ethereum virtual machine. In versions prior to 0.3.4 when a calling an external contract with no return value, the contract address (including side effects) could be evaluated twice. This may result in incorrect outcomes for contracts. This issue has been addressed in v0.3.4.",
  "id": "PYSEC-2022-43053",
  "modified": "2023-08-02T18:28:00.437362+00:00",
  "published": "2022-06-09T09:15:00+00:00",
  "references": [
    {
      "type": "EVIDENCE",
      "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-4v9q-cgpw-cf38"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-4v9q-cgpw-cf38"
    },
    {
      "type": "FIX",
      "url": "https://github.com/vyperlang/vyper/commit/6b4d8ff185de071252feaa1c319712b2d6577f8d"
    }
  ],
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

gsd-2022-29255

Vulnerability from gsd

Modified

2023-12-13 01:19

Details

Vyper is a Pythonic Smart Contract Language for the ethereum virtual machine. In versions prior to 0.3.4 when a calling an external contract with no return value, the contract address (including side effects) could be evaluated twice. This may result in incorrect outcomes for contracts. This issue has been addressed in v0.3.4.

Aliases

CVE-2022-29255

Aliases

CVE-2022-29255

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-29255",
    "description": "Vyper is a Pythonic Smart Contract Language for the ethereum virtual machine. In versions prior to 0.3.4 when a calling an external contract with no return value, the contract address (including side effects) could be evaluated twice. This may result in incorrect outcomes for contracts. This issue has been addressed in v0.3.4.",
    "id": "GSD-2022-29255"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-29255"
      ],
      "details": "Vyper is a Pythonic Smart Contract Language for the ethereum virtual machine. In versions prior to 0.3.4 when a calling an external contract with no return value, the contract address (including side effects) could be evaluated twice. This may result in incorrect outcomes for contracts. This issue has been addressed in v0.3.4.",
      "id": "GSD-2022-29255",
      "modified": "2023-12-13T01:19:42.084276Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2022-29255",
        "STATE": "PUBLIC",
        "TITLE": "Multiple evaluation of contract address in call in vyper"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "vyper",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003c 0.3.4"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "vyperlang"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Vyper is a Pythonic Smart Contract Language for the ethereum virtual machine. In versions prior to 0.3.4 when a calling an external contract with no return value, the contract address (including side effects) could be evaluated twice. This may result in incorrect outcomes for contracts. This issue has been addressed in v0.3.4."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 8.2,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-670: Always-Incorrect Control Flow Implementation"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/vyperlang/vyper/security/advisories/GHSA-4v9q-cgpw-cf38",
            "refsource": "CONFIRM",
            "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-4v9q-cgpw-cf38"
          },
          {
            "name": "https://github.com/vyperlang/vyper/commit/6b4d8ff185de071252feaa1c319712b2d6577f8d",
            "refsource": "MISC",
            "url": "https://github.com/vyperlang/vyper/commit/6b4d8ff185de071252feaa1c319712b2d6577f8d"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-4v9q-cgpw-cf38",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c0.3.4",
          "affected_versions": "All versions before 0.3.4",
          "cvss_v2": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-670",
            "CWE-937"
          ],
          "date": "2023-08-02",
          "description": "### Impact\nwhen a calling an external contract with no return value, the contract address could be evaluated twice. this is usually only an efficiency problem, but if evaluation of the contract address has side effects, it could result in double evaluation of the side effects.\n\nin the following example, `Foo(msg.sender).bar()` is the contract address for the following call (to `.foo()`), and could get evaluated twice\n\n```vyper\ninterface Foo:\n def foo(): nonpayable\n def bar() -\u003e address: nonpayable\n\n@external\ndef do_stuff():\n Foo(Foo(msg.sender).bar()).foo()\n```\n\n### Patches\nv0.3.4\n\n### Workarounds\nassign contract addresses to variables. the above example would change to\n```vyper\n@external\ndef do_stuff():\n t: Foo = Foo(msg.sender).bar()\n t.foo()\n```\n\n### References\n\n### For more information\n",
          "fixed_versions": [
            "0.3.4"
          ],
          "identifier": "GMS-2022-1912",
          "identifiers": [
            "CVE-2022-29255",
            "GHSA-4v9q-cgpw-cf38",
            "GMS-2022-1912"
          ],
          "not_impacted": "All versions starting from 0.3.4",
          "package_slug": "pypi/vyper",
          "pubdate": "2022-06-09",
          "solution": "Upgrade to version 0.3.4 or above.",
          "title": "Multiple evaluation of contract address in call in vyper",
          "urls": [
            "https://github.com/vyperlang/vyper/security/advisories/GHSA-4v9q-cgpw-cf38",
            "https://github.com/vyperlang/vyper/commit/6b4d8ff185de071252feaa1c319712b2d6577f8d",
            "https://github.com/advisories/GHSA-4v9q-cgpw-cf38"
          ],
          "uuid": "bec24fda-092b-4813-b8b2-82228ef81445"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:vyperlang:vyper:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "0.3.4",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-29255"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Vyper is a Pythonic Smart Contract Language for the ethereum virtual machine. In versions prior to 0.3.4 when a calling an external contract with no return value, the contract address (including side effects) could be evaluated twice. This may result in incorrect outcomes for contracts. This issue has been addressed in v0.3.4."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-670"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/vyperlang/vyper/security/advisories/GHSA-4v9q-cgpw-cf38",
              "refsource": "CONFIRM",
              "tags": [
                "Exploit",
                "Mitigation",
                "Third Party Advisory"
              ],
              "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-4v9q-cgpw-cf38"
            },
            {
              "name": "https://github.com/vyperlang/vyper/commit/6b4d8ff185de071252feaa1c319712b2d6577f8d",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/vyperlang/vyper/commit/6b4d8ff185de071252feaa1c319712b2d6577f8d"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 5.0,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2023-08-02T16:22Z",
      "publishedDate": "2022-06-09T09:15Z"
    }
  }
}

Action not permitted

cve-2022-29255

Vulnerability from cvelistv5

ghsa-4v9q-cgpw-cf38

Vulnerability from github

Impact

Patches

Workarounds

References

For more information

pysec-2022-43053

Vulnerability from pysec

gsd-2022-29255

Vulnerability from gsd

Tags