CVE-2023-42443 Detail
Received
This vulnerability has been received by the NVD and has not been analyzed.
Description
Vyper is simply a Pythonic Smart Contract Language for the Ethereum Virtual Machine (EVM). In mentation 0.3.9 and prior, nether definite conditions, the representation utilized by the builtins `raw_call`, `create_from_blueprint` and `create_copy_of` tin beryllium corrupted. For `raw_call`, the statement buffer of the telephone tin beryllium corrupted, starring to incorrect `calldata` successful the sub-context. For `create_from_blueprint` and `create_copy_of`, the buffer for the to-be-deployed bytecode tin beryllium corrupted, starring to deploying incorrect bytecode. Each builtin has conditions that indispensable beryllium fulfilled for the corruption to happen. For `raw_call`, the `data` statement of the builtin indispensable beryllium `msg.data` and the `value` oregon `gas` passed to the builtin indispensable beryllium immoderate analyzable look that results successful penning to the memory. For `create_copy_of`, the `value` oregon `salt` passed to the builtin indispensable beryllium immoderate analyzable look that results successful penning to the memory. For `create_from_blueprint`, either nary constructor parameters should beryllium passed to the builtin oregon `raw_args` should beryllium acceptable to True, and the `value` oregon `salt` passed to the builtin indispensable beryllium immoderate analyzable look that results successful penning to the memory. As of clip of publication, nary patched mentation exists. The contented is inactive being investigated, and determination mightiness beryllium different cases wherever the corruption mightiness happen. When the builtin is being called from an `internal` relation `F`, the contented is not contiguous provided that the relation calling `F` wrote to representation earlier calling `F`. As a workaround, the analyzable expressions that are being passed arsenic kwargs to the builtin should beryllium cached successful representation anterior to the telephone to the builtin.
Severity
References to Advisories, Solutions, and Tools
By selecting these links, you volition beryllium leaving NIST webspace. We person provided these links to different web sites due to the fact that they may person accusation that would beryllium of involvement to you. No inferences should beryllium drawn connected relationship of different sites being referenced, oregon not, from this page. There whitethorn beryllium different web sites that are much due for your purpose. NIST does not needfully endorse the views expressed, oregon concur with the facts presented connected these sites. Further, NIST does not endorse immoderate commercialized products that whitethorn beryllium mentioned on these sites. Please code comments astir this leafage to [email protected].
| https://github.com/vyperlang/vyper/issues/3609 | |
| https://github.com/vyperlang/vyper/security/advisories/GHSA-c647-pxm2-c52w |
Weakness Enumeration
| CWE-787 | Out-of-bounds Write |
GitHub, Inc.
|
Change History
0 alteration records recovered show changes
Quick Info
CVE Dictionary Entry:
CVE-2023-42443
NVD
Published Date:
09/18/2023
NVD
Last Modified:
09/18/2023
Source:
GitHub, Inc.
English (US)