cvelistv5 - cve-2023-32059

▼	URL	Tags
	security-advisories@github.com	https://github.com/vyperlang/vyper/commit/c3e68c302aa6e1429946473769dd1232145822ac	Patch
	security-advisories@github.com	https://github.com/vyperlang/vyper/security/advisories/GHSA-ph9x-4vc9-m39g	Exploit, Vendor Advisory

▼	Vendor	Product
	vyperlang	vyper

pysec-2023-79

Vulnerability from pysec

Published

2023-05-11 22:15

Modified

2023-06-05 01:13

Details

Vyper is a Pythonic smart contract language for the Ethereum virtual machine. Prior to version 0.3.8, internal calls with default arguments are compiled incorrectly. Depending on the number of arguments provided in the call, the defaults are added not right-to-left, but left-to-right. If the types are incompatible, typechecking is bypassed. The ability to pass kwargs to internal functions is an undocumented feature that is not well known about. The issue is patched in version 0.3.8.

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "vyper",
        "purl": "pkg:pypi/vyper"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "c3e68c302aa6e1429946473769dd1232145822ac"
            }
          ],
          "repo": "https://github.com/vyperlang/vyper",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.3.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.1.0b1",
        "0.1.0b10",
        "0.1.0b11",
        "0.1.0b12",
        "0.1.0b13",
        "0.1.0b14",
        "0.1.0b15",
        "0.1.0b16",
        "0.1.0b17",
        "0.1.0b2",
        "0.1.0b3",
        "0.1.0b4",
        "0.1.0b5",
        "0.1.0b6",
        "0.1.0b7",
        "0.1.0b8",
        "0.1.0b9",
        "0.2.1",
        "0.2.10",
        "0.2.11",
        "0.2.12",
        "0.2.13",
        "0.2.14",
        "0.2.15",
        "0.2.16",
        "0.2.2",
        "0.2.3",
        "0.2.4",
        "0.2.5",
        "0.2.6",
        "0.2.7",
        "0.2.8",
        "0.2.9",
        "0.3.0",
        "0.3.1",
        "0.3.2",
        "0.3.3",
        "0.3.4",
        "0.3.5",
        "0.3.6",
        "0.3.7"
      ]
    }
  ],
  "aliases": [
    "CVE-2023-32059",
    "GHSA-ph9x-4vc9-m39g"
  ],
  "details": "Vyper is a Pythonic smart contract language for the Ethereum virtual machine. Prior to version 0.3.8, internal calls with default arguments are compiled incorrectly. Depending on the number of arguments provided in the call, the defaults are added not right-to-left, but left-to-right. If the types are incompatible, typechecking is bypassed. The ability to pass kwargs to internal functions is an undocumented feature that is not well known about. The issue is patched in version 0.3.8.",
  "id": "PYSEC-2023-79",
  "modified": "2023-06-05T01:13:03.051477Z",
  "published": "2023-05-11T22:15:00Z",
  "references": [
    {
      "type": "FIX",
      "url": "https://github.com/vyperlang/vyper/commit/c3e68c302aa6e1429946473769dd1232145822ac"
    },
    {
      "type": "EVIDENCE",
      "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-ph9x-4vc9-m39g"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-ph9x-4vc9-m39g"
    }
  ]
}

ghsa-ph9x-4vc9-m39g

Vulnerability from github

Published

2023-05-12 20:21

Modified

2023-06-05 21:16

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Summary

Vyper vulnerable to incorrect ordering of arguments for kwargs passed to internal calls

Details

Impact

Internal calls to internal functions with more than 1 default argument are compiled incorrectly. Depending on the number of arguments provided in the call, the defaults are added not right-to-left, but left-to-right. If the types are incompatible, typechecking is bypassed. In the bar() function in the following code, self.foo(13) is compiled to self.foo(13,12) instead of self.foo(13,1337).

```vyper @internal def foo(a:uint256 = 12, b:uint256 = 1337): pass

@internal def bar(): self.foo(13) ```

note that at the time of publication, the ability to pass kwargs to internal functions is an undocumented feature that does not seem to be widely used.

Patches

patched in c3e68c302aa6e1429946473769dd1232145822ac

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

References

Are there any links users can visit to find out more?

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "vyper"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.3.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-32059"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-683"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-05-12T20:21:00Z",
    "nvd_published_at": "2023-05-11T22:15:11Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nInternal calls to internal functions with more than 1 default argument are compiled incorrectly. Depending on the number of arguments\nprovided in the call, the defaults are added not right-to-left, but left-to-right. If the types are incompatible,\ntypechecking is bypassed. In the `bar()` function in the following code, `self.foo(13)` is compiled to\n`self.foo(13,12)` instead of `self.foo(13,1337)`.\n\n```vyper\n@internal\ndef foo(a:uint256 = 12, b:uint256 = 1337):\n    pass\n\n@internal\ndef bar():\n    self.foo(13)\n```\n\nnote that at the time of publication, the ability to pass kwargs to internal functions is an undocumented feature that does not seem to be widely used.\n\n### Patches\npatched in c3e68c302aa6e1429946473769dd1232145822ac\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\n### References\n_Are there any links users can visit to find out more?_\n",
  "id": "GHSA-ph9x-4vc9-m39g",
  "modified": "2023-06-05T21:16:32Z",
  "published": "2023-05-12T20:21:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-ph9x-4vc9-m39g"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32059"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vyperlang/vyper/commit/c3e68c302aa6e1429946473769dd1232145822ac"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-79.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vyperlang/vyper"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Vyper vulnerable to incorrect ordering of arguments for kwargs passed to internal calls"
}

gsd-2023-32059

Vulnerability from gsd

Modified

2023-12-13 01:20

Details

Vyper is a Pythonic smart contract language for the Ethereum virtual machine. Prior to version 0.3.8, internal calls with default arguments are compiled incorrectly. Depending on the number of arguments provided in the call, the defaults are added not right-to-left, but left-to-right. If the types are incompatible, typechecking is bypassed. The ability to pass kwargs to internal functions is an undocumented feature that is not well known about. The issue is patched in version 0.3.8.

Aliases

CVE-2023-32059

Aliases

CVE-2023-32059

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-32059",
    "id": "GSD-2023-32059"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-32059"
      ],
      "details": "Vyper is a Pythonic smart contract language for the Ethereum virtual machine. Prior to version 0.3.8, internal calls with default arguments are compiled incorrectly. Depending on the number of arguments provided in the call, the defaults are added not right-to-left, but left-to-right. If the types are incompatible, typechecking is bypassed. The ability to pass kwargs to internal functions is an undocumented feature that is not well known about. The issue is patched in version 0.3.8.",
      "id": "GSD-2023-32059",
      "modified": "2023-12-13T01:20:23.820205Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2023-32059",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "vyper",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003c 0.3.8"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "vyperlang"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Vyper is a Pythonic smart contract language for the Ethereum virtual machine. Prior to version 0.3.8, internal calls with default arguments are compiled incorrectly. Depending on the number of arguments provided in the call, the defaults are added not right-to-left, but left-to-right. If the types are incompatible, typechecking is bypassed. The ability to pass kwargs to internal functions is an undocumented feature that is not well known about. The issue is patched in version 0.3.8."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-683",
                "lang": "eng",
                "value": "CWE-683: Function Call With Incorrect Order of Arguments"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/vyperlang/vyper/security/advisories/GHSA-ph9x-4vc9-m39g",
            "refsource": "MISC",
            "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-ph9x-4vc9-m39g"
          },
          {
            "name": "https://github.com/vyperlang/vyper/commit/c3e68c302aa6e1429946473769dd1232145822ac",
            "refsource": "MISC",
            "url": "https://github.com/vyperlang/vyper/commit/c3e68c302aa6e1429946473769dd1232145822ac"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-ph9x-4vc9-m39g",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c0.3.8",
          "affected_versions": "All versions before 0.3.8",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-937"
          ],
          "date": "2023-08-02",
          "description": "Vyper is a Pythonic smart contract language for the Ethereum virtual machine. Prior to version 0.3.8, internal calls with default arguments are compiled incorrectly. Depending on the number of arguments provided in the call, the defaults are added not right-to-left, but left-to-right. If the types are incompatible, typechecking is bypassed. The ability to pass kwargs to internal functions is an undocumented feature that is not well known about. The issue is patched in version 0.3.8.",
          "fixed_versions": [
            "0.3.8"
          ],
          "identifier": "CVE-2023-32059",
          "identifiers": [
            "CVE-2023-32059",
            "GHSA-ph9x-4vc9-m39g"
          ],
          "not_impacted": "All versions starting from 0.3.8",
          "package_slug": "pypi/vyper",
          "pubdate": "2023-05-11",
          "solution": "Upgrade to version 0.3.8 or above.",
          "title": "Function Call With Incorrect Order of Arguments",
          "urls": [
            "https://github.com/vyperlang/vyper/security/advisories/GHSA-ph9x-4vc9-m39g",
            "https://nvd.nist.gov/vuln/detail/CVE-2023-32059",
            "https://github.com/vyperlang/vyper/commit/c3e68c302aa6e1429946473769dd1232145822ac",
            "https://github.com/advisories/GHSA-ph9x-4vc9-m39g"
          ],
          "uuid": "f08a1131-c5a7-474d-9725-3d2300565a7c"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:vyperlang:vyper:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "0.3.8",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2023-32059"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Vyper is a Pythonic smart contract language for the Ethereum virtual machine. Prior to version 0.3.8, internal calls with default arguments are compiled incorrectly. Depending on the number of arguments provided in the call, the defaults are added not right-to-left, but left-to-right. If the types are incompatible, typechecking is bypassed. The ability to pass kwargs to internal functions is an undocumented feature that is not well known about. The issue is patched in version 0.3.8."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "NVD-CWE-noinfo"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/vyperlang/vyper/commit/c3e68c302aa6e1429946473769dd1232145822ac",
              "refsource": "MISC",
              "tags": [
                "Patch"
              ],
              "url": "https://github.com/vyperlang/vyper/commit/c3e68c302aa6e1429946473769dd1232145822ac"
            },
            {
              "name": "https://github.com/vyperlang/vyper/security/advisories/GHSA-ph9x-4vc9-m39g",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Vendor Advisory"
              ],
              "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-ph9x-4vc9-m39g"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2023-08-02T16:22Z",
      "publishedDate": "2023-05-11T22:15Z"
    }
  }
}

Action not permitted

cve-2023-32059

Vulnerability from cvelistv5

pysec-2023-79

Vulnerability from pysec

ghsa-ph9x-4vc9-m39g

Vulnerability from github

Impact

Patches

Workarounds

References

gsd-2023-32059

Vulnerability from gsd

Tags