pysec - pysec-2023-191

pysec-2023-191

Vulnerability from pysec

Published

2023-09-27 15:19

Modified

2023-10-04 20:26

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

Vyper is a Pythonic Smart Contract Language for the EVM. The _abi_decode() function does not validate input when it is nested in an expression. Uses of _abi_decode() can be constructed which allow for bounds checking to be bypassed resulting in incorrect results. This issue has not yet been fixed, but a fix is expected in release 0.3.10. Users are advised to reference pull request #3626.

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "vyper",
        "purl": "pkg:pypi/vyper"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.3.4"
            },
            {
              "fixed": "0.3.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.3.10rc1",
        "0.3.10rc2",
        "0.3.10rc3",
        "0.3.10rc4",
        "0.3.10rc5",
        "0.3.4",
        "0.3.5",
        "0.3.6",
        "0.3.7",
        "0.3.8",
        "0.3.9"
      ]
    }
  ],
  "aliases": [
    "CVE-2023-42460",
    "GHSA-cx2q-hfxr-rj97"
  ],
  "details": "Vyper is a Pythonic Smart Contract Language for the EVM. The `_abi_decode()` function does not validate input when it is nested in an expression. Uses of `_abi_decode()` can be constructed which allow for bounds checking to be bypassed resulting in incorrect results. This issue has not yet been fixed, but a fix is expected in release `0.3.10`. Users are advised to reference pull request #3626.",
  "id": "PYSEC-2023-191",
  "modified": "2023-10-04T20:26:42.494872+00:00",
  "published": "2023-09-27T15:19:00+00:00",
  "references": [
    {
      "type": "EVIDENCE",
      "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-cx2q-hfxr-rj97"
    },
    {
      "type": "FIX",
      "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-cx2q-hfxr-rj97"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-cx2q-hfxr-rj97"
    },
    {
      "type": "FIX",
      "url": "https://github.com/vyperlang/vyper/pull/3626"
    }
  ],
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

cve-2023-42460

Vulnerability from cvelistv5

Published

2023-09-26 18:47

Modified

2024-09-24 13:45

Severity ?

5.3 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N

Summary

_abi_decode input not validated in complex expressions in Vyper

References

▼	URL	Tags
	https://github.com/vyperlang/vyper/security/advisories/GHSA-cx2q-hfxr-rj97	x_refsource_CONFIRM
	https://github.com/vyperlang/vyper/pull/3626	x_refsource_MISC

Impacted products

▼	Vendor	Product
	vyperlang	vyper

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T19:23:38.895Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/vyperlang/vyper/security/advisories/GHSA-cx2q-hfxr-rj97",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-cx2q-hfxr-rj97"
          },
          {
            "name": "https://github.com/vyperlang/vyper/pull/3626",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/vyperlang/vyper/pull/3626"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-42460",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-24T13:20:49.007393Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-24T13:45:05.798Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "vyper",
          "vendor": "vyperlang",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 0.3.4, \u003c 0.3.10"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Vyper is a Pythonic Smart Contract Language for the EVM. The `_abi_decode()` function does not validate input when it is nested in an expression. Uses of `_abi_decode()` can be constructed which allow for bounds checking to be bypassed resulting in incorrect results. This issue has not yet been fixed, but a fix is expected in release `0.3.10`. Users are advised to reference pull request #3626."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-682",
              "description": "CWE-682: Incorrect Calculation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-09-26T18:47:09.721Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/vyperlang/vyper/security/advisories/GHSA-cx2q-hfxr-rj97",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-cx2q-hfxr-rj97"
        },
        {
          "name": "https://github.com/vyperlang/vyper/pull/3626",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/vyperlang/vyper/pull/3626"
        }
      ],
      "source": {
        "advisory": "GHSA-cx2q-hfxr-rj97",
        "discovery": "UNKNOWN"
      },
      "title": "_abi_decode input not validated in complex expressions in Vyper"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-42460",
    "datePublished": "2023-09-26T18:47:09.721Z",
    "dateReserved": "2023-09-08T20:57:45.574Z",
    "dateUpdated": "2024-09-24T13:45:05.798Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

ghsa-cx2q-hfxr-rj97

Vulnerability from github

Published

2023-09-26 19:34

Modified

2023-09-27 15:42

Severity ?

5.3 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N

Summary

Vyper's `_abi_decode` input not validated in complex expressions

Details

Impact

_abi_decode() does not validate input when it is nested in an expression. the following example gets correctly validated (bounds checked): vyper x: int128 = _abi_decode(slice(msg.data, 4, 32), int128)

however, the following example is not bounds checked vyper @external def abi_decode(x: uint256) -> uint256: a: uint256 = convert(_abi_decode(slice(msg.data, 4, 32), (uint8)), uint256) + 1 return a # abi_decode(256) returns: 257

the issue can be triggered by constructing an example where the output of _abi_decode is not internally passed to make_setter (an internal codegen routine) or other input validating routine.

Patches

https://github.com/vyperlang/vyper/pull/3626

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

References

Are there any links users can visit to find out more?

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "vyper"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.3.4"
            },
            {
              "fixed": "0.3.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-42460"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-682"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-09-26T19:34:53Z",
    "nvd_published_at": "2023-09-27T15:19:32Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n`_abi_decode()` does not validate input when it is nested in an expression. the following example gets correctly validated (bounds checked):\n```vyper\nx: int128 = _abi_decode(slice(msg.data, 4, 32), int128)\n```\n\nhowever, the following example is not bounds checked\n```vyper\n@external\ndef abi_decode(x: uint256) -\u003e uint256:\n    a: uint256 = convert(_abi_decode(slice(msg.data, 4, 32), (uint8)), uint256) + 1\n    return a  # abi_decode(256) returns: 257\n```\n\nthe issue can be triggered by constructing an example where the output of `_abi_decode` is not internally passed to `make_setter` (an internal codegen routine) or other input validating routine.\n\n### Patches\nhttps://github.com/vyperlang/vyper/pull/3626\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\n### References\n_Are there any links users can visit to find out more?_\n",
  "id": "GHSA-cx2q-hfxr-rj97",
  "modified": "2023-09-27T15:42:42Z",
  "published": "2023-09-26T19:34:53Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-cx2q-hfxr-rj97"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42460"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vyperlang/vyper/pull/3626"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vyperlang/vyper"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Vyper\u0027s `_abi_decode` input not validated in complex expressions"
}

Action not permitted

pysec-2023-191

Vulnerability from pysec

cve-2023-42460

Vulnerability from cvelistv5

ghsa-cx2q-hfxr-rj97

Vulnerability from github

Impact

Patches

Workarounds

References

Tags