{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-41052", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-08-22T16:57:23.933Z", "datePublished": "2023-09-04T17:36:23.480Z", "dateUpdated": "2024-09-26T18:30:33.353Z"}, "containers": {"cna": {"title": "Vyper: incorrect order of evaluation of side effects for some builtins", "problemTypes": [{"descriptions": [{"cweId": "CWE-670", "lang": "en", "description": "CWE-670: Always-Incorrect Control Flow Implementation", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/vyperlang/vyper/security/advisories/GHSA-4hg4-9mf5-wxxq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-4hg4-9mf5-wxxq"}, {"name": "https://github.com/vyperlang/vyper/pull/3583", "tags": ["x_refsource_MISC"], "url": "https://github.com/vyperlang/vyper/pull/3583"}], "affected": [{"vendor": "vyperlang", "product": "vyper", "versions": [{"version": "<= 0.3.9", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-09-04T17:36:23.480Z"}, "descriptions": [{"lang": "en", "value": "Vyper is a Pythonic Smart Contract Language. In affected versions the order of evaluation of the arguments of the builtin functions `uint256_addmod`, `uint256_mulmod`, `ecadd` and `ecmul` does not follow source order. This behaviour is problematic when the evaluation of one of the arguments produces side effects that other arguments depend on. A patch is currently being developed on pull request #3583. When using builtins from the list above, users should make sure that the arguments of the expression do not produce side effects or, if one does, that no other argument is dependent on those side effects."}], "source": {"advisory": "GHSA-4hg4-9mf5-wxxq", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T18:46:11.683Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/vyperlang/vyper/security/advisories/GHSA-4hg4-9mf5-wxxq", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-4hg4-9mf5-wxxq"}, {"name": "https://github.com/vyperlang/vyper/pull/3583", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/vyperlang/vyper/pull/3583"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-26T18:04:38.192633Z", "id": "CVE-2023-41052", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-26T18:30:33.353Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-4hg4-9mf5-wxxq", "name": "https://github.com/vyperlang/vyper/security/advisories/GHSA-4hg4-9mf5-wxxq", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/vyperlang/vyper/pull/3583", "name": "https://github.com/vyperlang/vyper/pull/3583", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T18:46:11.683Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-41052", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-26T18:04:38.192633Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-26T18:30:29.475Z"}}], "cna": {"title": "Vyper: incorrect order of evaluation of side effects for some builtins", "source": {"advisory": "GHSA-4hg4-9mf5-wxxq", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "vyperlang", "product": "vyper", "versions": [{"status": "affected", "version": "<= 0.3.9"}]}], "references": [{"url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-4hg4-9mf5-wxxq", "name": "https://github.com/vyperlang/vyper/security/advisories/GHSA-4hg4-9mf5-wxxq", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/vyperlang/vyper/pull/3583", "name": "https://github.com/vyperlang/vyper/pull/3583", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Vyper is a Pythonic Smart Contract Language. In affected versions the order of evaluation of the arguments of the builtin functions `uint256_addmod`, `uint256_mulmod`, `ecadd` and `ecmul` does not follow source order. This behaviour is problematic when the evaluation of one of the arguments produces side effects that other arguments depend on. A patch is currently being developed on pull request #3583. When using builtins from the list above, users should make sure that the arguments of the expression do not produce side effects or, if one does, that no other argument is dependent on those side effects."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-670", "description": "CWE-670: Always-Incorrect Control Flow Implementation"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-09-04T17:36:23.480Z"}}}, "cveMetadata": {"cveId": "CVE-2023-41052", "state": "PUBLISHED", "dateUpdated": "2024-09-26T18:30:33.353Z", "dateReserved": "2023-08-22T16:57:23.933Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2023-09-04T17:36:23.480Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vyperlang:vyper:*:*:*:*:*:python:*:*", "matchCriteriaId": "56FB25B4-6446-4B4B-87AA-D4368B4B8685", "versionEndIncluding": "0.3.9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Vyper is a Pythonic Smart Contract Language. In affected versions the order of evaluation of the arguments of the builtin functions `uint256_addmod`, `uint256_mulmod`, `ecadd` and `ecmul` does not follow source order. This behaviour is problematic when the evaluation of one of the arguments produces side effects that other arguments depend on. A patch is currently being developed on pull request #3583. When using builtins from the list above, users should make sure that the arguments of the expression do not produce side effects or, if one does, that no other argument is dependent on those side effects."}, {"lang": "es", "value": "Vyper es un Lenguaje de Contrato Inteligente de Python. En las versiones afectadas, el orden de evaluaci\u00f3n de los argumentos de las funciones integradas `uint256_addmod`, `uint256_mulmod`, `ecadd` and `ecmul` no sigue el orden de origen. Este comportamiento es problem\u00e1tico cuando la evaluaci\u00f3n de uno de los argumentos produce efectos secundarios de los que dependen otros argumentos. Actualmente se est\u00e1 desarrollando un parche mediante la solicitud de extracci\u00f3n #3583. Al utilizar elementos integrados de la lista anterior, los usuarios deben asegurarse de que los argumentos de la expresi\u00f3n no produzcan efectos secundarios o, si los produce, que ning\u00fan otro argumento dependa de esos efectos secundarios."}], "id": "CVE-2023-41052", "lastModified": "2024-11-21T08:20:27.880", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-09-04T18:15:08.657", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/vyperlang/vyper/pull/3583"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-4hg4-9mf5-wxxq"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/vyperlang/vyper/pull/3583"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-4hg4-9mf5-wxxq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-670"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-670"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{}