{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-40015", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-08-08T13:46:25.241Z", "datePublished": "2023-09-04T17:39:12.822Z", "dateUpdated": "2024-11-19T16:46:23.708Z"}, "containers": {"cna": {"title": "Vyper: reversed order of side effects for some operations", "problemTypes": [{"descriptions": [{"cweId": "CWE-670", "lang": "en", "description": "CWE-670: Always-Incorrect Control Flow Implementation", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/vyperlang/vyper/security/advisories/GHSA-g2xh-c426-v8mf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-g2xh-c426-v8mf"}], "affected": [{"vendor": "vyperlang", "product": "vyper", "versions": [{"version": "<= 0.4.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-11-19T16:46:23.708Z"}, "descriptions": [{"lang": "en", "value": "Vyper is a Pythonic Smart Contract Language. For the following (probably non-exhaustive) list of expressions, the compiler evaluates the arguments from right to left instead of left to right. `unsafe_add, unsafe_sub, unsafe_mul, unsafe_div, pow_mod256, |, &, ^ (bitwise operators), bitwise_or (deprecated), bitwise_and (deprecated), bitwise_xor (deprecated), raw_call, <, >, <=, >=, ==, !=, in, not in (when lhs and rhs are enums)`. This behaviour becomes a problem when the evaluation of one of the arguments produces side effects that other arguments depend on. The following expressions can produce side-effect: state modifying external call , state modifying internal call, `raw_call`, `pop()` when used on a Dynamic Array stored in the storage, `create_minimal_proxy_to`, `create_copy_of`, `create_from_blueprint`. This issue has not yet been patched. Users are advised to make sure that the arguments of the expression do not produce side effects or, if one does, that no other argument is dependent on those side effects."}], "source": {"advisory": "GHSA-g2xh-c426-v8mf", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T18:24:54.461Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/vyperlang/vyper/security/advisories/GHSA-g2xh-c426-v8mf", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-g2xh-c426-v8mf"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-26T18:04:27.979211Z", "id": "CVE-2023-40015", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-26T18:30:19.912Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-g2xh-c426-v8mf", "name": "https://github.com/vyperlang/vyper/security/advisories/GHSA-g2xh-c426-v8mf", "tags": ["x_refsource_CONFIRM", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T18:24:54.461Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-40015", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-26T18:04:27.979211Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-26T18:30:15.822Z"}}], "cna": {"title": "Vyper: reversed order of side effects for some operations", "source": {"advisory": "GHSA-g2xh-c426-v8mf", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "vyperlang", "product": "vyper", "versions": [{"status": "affected", "version": "<= 0.4.0"}]}], "references": [{"url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-g2xh-c426-v8mf", "name": "https://github.com/vyperlang/vyper/security/advisories/GHSA-g2xh-c426-v8mf", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Vyper is a Pythonic Smart Contract Language. For the following (probably non-exhaustive) list of expressions, the compiler evaluates the arguments from right to left instead of left to right. `unsafe_add, unsafe_sub, unsafe_mul, unsafe_div, pow_mod256, |, &, ^ (bitwise operators), bitwise_or (deprecated), bitwise_and (deprecated), bitwise_xor (deprecated), raw_call, <, >, <=, >=, ==, !=, in, not in (when lhs and rhs are enums)`. This behaviour becomes a problem when the evaluation of one of the arguments produces side effects that other arguments depend on. The following expressions can produce side-effect: state modifying external call , state modifying internal call, `raw_call`, `pop()` when used on a Dynamic Array stored in the storage, `create_minimal_proxy_to`, `create_copy_of`, `create_from_blueprint`. This issue has not yet been patched. Users are advised to make sure that the arguments of the expression do not produce side effects or, if one does, that no other argument is dependent on those side effects."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-670", "description": "CWE-670: Always-Incorrect Control Flow Implementation"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-11-19T16:46:23.708Z"}}}, "cveMetadata": {"cveId": "CVE-2023-40015", "state": "PUBLISHED", "dateUpdated": "2024-11-19T16:46:23.708Z", "dateReserved": "2023-08-08T13:46:25.241Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2023-09-04T17:39:12.822Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vyperlang:vyper:*:*:*:*:*:python:*:*", "matchCriteriaId": "56FB25B4-6446-4B4B-87AA-D4368B4B8685", "versionEndIncluding": "0.3.9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Vyper is a Pythonic Smart Contract Language. For the following (probably non-exhaustive) list of expressions, the compiler evaluates the arguments from right to left instead of left to right. `unsafe_add, unsafe_sub, unsafe_mul, unsafe_div, pow_mod256, |, &, ^ (bitwise operators), bitwise_or (deprecated), bitwise_and (deprecated), bitwise_xor (deprecated), raw_call, <, >, <=, >=, ==, !=, in, not in (when lhs and rhs are enums)`. This behaviour becomes a problem when the evaluation of one of the arguments produces side effects that other arguments depend on. The following expressions can produce side-effect: state modifying external call , state modifying internal call, `raw_call`, `pop()` when used on a Dynamic Array stored in the storage, `create_minimal_proxy_to`, `create_copy_of`, `create_from_blueprint`. This issue has not yet been patched. Users are advised to make sure that the arguments of the expression do not produce side effects or, if one does, that no other argument is dependent on those side effects."}, {"lang": "es", "value": "Vyper es un Lenguaje de Contratos Inteligentes de Python. Para la siguiente lista de expresiones (probablemente no exhaustiva), el compilador eval\u00faa los argumentos de derecha a izquierda en lugar de izquierda a derecha. \"unsafe_add, unsafe_sub, unsafe_mul, unsafe_div, pow_mod256, |, &amp;, ^ (bitwise operators), bitwise_or (deprecated), bitwise_and (deprecated), bitwise_xor (deprecated), raw_call, &lt;, &gt;, &lt;=, &gt;=, ==, !=, in, not in (cuando lhs y rhs son enums)\". Este comportamiento se convierte en un problema cuando la evaluaci\u00f3n de uno de los argumentos produce efectos secundarios de los que dependen otros argumentos. Las siguientes expresiones pueden producir efectos secundarios: llamada externa que modifica el estado, llamada interna que modifica el estado, \"raw_call\", \"pop()\" cuando se utiliza un array din\u00e1mico almacenado en el almacenamiento, \"create_minimal_proxy_to\", \"create_copy_of\" y \"create_from_blueprint\". Este problema a\u00fan no se ha solucionado. Se aconseja a los usuarios que se aseguren de que los argumentos de la expresi\u00f3n no producen efectos secundarios o, si alguno los produce, de que ning\u00fan otro argumento depende de esos efectos secundarios. "}], "id": "CVE-2023-40015", "lastModified": "2023-09-08T13:58:23.860", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-09-04T18:15:07.880", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-g2xh-c426-v8mf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-670"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}