Lucene search

GoogleOSV:PYSEC-2023-191

HistorySep 27, 2023 - 3:19 p.m.

PYSEC-2023-191

2023-09-2715:19:00

Google

osv.dev

vyper

smart contract

evm

_abi_decode()

bounds checking

security issue

validation

release 0.3.10

pull request #3626

vulnerability

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

7.1 High

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

18.0%

JSON

Vyper is a Pythonic Smart Contract Language for the EVM. The _abi_decode() function does not validate input when it is nested in an expression. Uses of _abi_decode() can be constructed which allow for bounds checking to be bypassed resulting in incorrect results. This issue has not yet been fixed, but a fix is expected in release 0.3.10. Users are advised to reference pull request #3626.

CPENameOperatorVersion
vypereq0.3.5
vypereq0.3.10rc2
vypereq0.3.10rc3
vypereq0.3.10rc4
vypereq0.3.6
vypereq0.3.8
vypereq0.3.4
vypereq0.3.10rc5
vypereq0.3.10rc1
vypereq0.3.7

Name	Operator	Version
vyper	eq	0.3.5
vyper	eq	0.3.10rc2
vyper	eq	0.3.10rc3
vyper	eq	0.3.10rc4
vyper	eq	0.3.6
vyper	eq	0.3.8
vyper	eq	0.3.4
vyper	eq	0.3.10rc5
vyper	eq	0.3.10rc1
vyper	eq	0.3.7

Rows per page:

1-10 of 111

References

github.com/vyperlang/vyper/pull/3626

github.com/vyperlang/vyper/security/advisories/GHSA-cx2q-hfxr-rj97

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

7.1 High

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

18.0%

JSON

Related for OSV:PYSEC-2023-191