CVE-2023-32059

Vyper is a Pythonic smart contract language for the Ethereum virtual machine. Prior to version 0.3.8, internal calls with default arguments are compiled incorrectly. Depending on the number of arguments provided in the call, the defaults are added not right-to-left, but left-to-right. If the types are incompatible, typechecking is bypassed. The ability to pass kwargs to internal functions is an undocumented feature that is not well known about. The issue is patched in version 0.3.8.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/vyperlang/vyper/commit/c3e68c302aa6e1429946473769dd1232145822ac	Patch
https://github.com/vyperlang/vyper/security/advisories/GHSA-ph9x-4vc9-m39g	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:vyperlang:vyper:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2023-05-11 22:15

Updated : 2023-08-02 16:22

NVD link : CVE-2023-32059

Mitre link : CVE-2023-32059

CVE.ORG link : CVE-2023-32059

JSON object : View

Products Affected

vyperlang

vyper

CWE

NVD-CWE-noinfo CWE-683

Function Call With Incorrect Order of Arguments

{"id": "CVE-2023-32059", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2023-05-11T22:15:11.803", "references": [{"url": "https://github.com/vyperlang/vyper/commit/c3e68c302aa6e1429946473769dd1232145822ac", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-ph9x-4vc9-m39g", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-683"}]}], "descriptions": [{"lang": "en", "value": "Vyper is a Pythonic smart contract language for the Ethereum virtual machine. Prior to version 0.3.8, internal calls with default arguments are compiled incorrectly. Depending on the number of arguments provided in the call, the defaults are added not right-to-left, but left-to-right. If the types are incompatible, typechecking is bypassed. The ability to pass kwargs to internal functions is an undocumented feature that is not well known about. The issue is patched in version 0.3.8."}], "lastModified": "2023-08-02T16:22:18.663", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:vyperlang:vyper:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4E33CC4B-8A7D-4AB9-91C6-7B103ED59531", "versionEndExcluding": "0.3.8"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}