CVE-2023-41052 - OpenCVE

Vyper is a Pythonic Smart Contract Language. In affected versions the order of evaluation of the arguments of the builtin functions `uint256_addmod`, `uint256_mulmod`, `ecadd` and `ecmul` does not follow source order. This behaviour is problematic when the evaluation of one of the arguments produces side effects that other arguments depend on. A patch is currently being developed on pull request #3583. When using builtins from the list above, users should make sure that the arguments of the expression do not produce side effects or, if one does, that no other argument is dependent on those side effects.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Vyperlang	Vyper

Configuration 1 [-]

cpe:2.3:a:vyperlang:vyper:*:*:*:*:*:python:*:*

No data.

References

Link	Providers
https://github.com/vyperlang/vyper/pull/3583
https://github.com/vyperlang/vyper/security/advisories/GHSA-4hg4-9mf5-wxxq

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-09-04T17:36:23.480Z

Updated: 2024-08-02T18:46:11.683Z

Reserved: 2023-08-22T16:57:23.933Z

Link: CVE-2023-41052

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-09-04T18:15:08.657

Modified: 2023-09-08T14:08:27.387

Link: CVE-2023-41052

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-41052", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-08-22T16:57:23.933Z", "datePublished": "2023-09-04T17:36:23.480Z", "dateUpdated": "2024-08-02T18:46:11.683Z"}, "containers": {"cna": {"title": "Vyper: incorrect order of evaluation of side effects for some builtins", "problemTypes": [{"descriptions": [{"cweId": "CWE-670", "lang": "en", "description": "CWE-670: Always-Incorrect Control Flow Implementation", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/vyperlang/vyper/security/advisories/GHSA-4hg4-9mf5-wxxq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-4hg4-9mf5-wxxq"}, {"name": "https://github.com/vyperlang/vyper/pull/3583", "tags": ["x_refsource_MISC"], "url": "https://github.com/vyperlang/vyper/pull/3583"}], "affected": [{"vendor": "vyperlang", "product": "vyper", "versions": [{"version": "<= 0.3.9", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-09-04T17:36:23.480Z"}, "descriptions": [{"lang": "en", "value": "Vyper is a Pythonic Smart Contract Language. In affected versions the order of evaluation of the arguments of the builtin functions `uint256_addmod`, `uint256_mulmod`, `ecadd` and `ecmul` does not follow source order. This behaviour is problematic when the evaluation of one of the arguments produces side effects that other arguments depend on. A patch is currently being developed on pull request #3583. When using builtins from the list above, users should make sure that the arguments of the expression do not produce side effects or, if one does, that no other argument is dependent on those side effects."}], "source": {"advisory": "GHSA-4hg4-9mf5-wxxq", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T18:46:11.683Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/vyperlang/vyper/security/advisories/GHSA-4hg4-9mf5-wxxq", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-4hg4-9mf5-wxxq"}, {"name": "https://github.com/vyperlang/vyper/pull/3583", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/vyperlang/vyper/pull/3583"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vyperlang:vyper:*:*:*:*:*:python:*:*", "matchCriteriaId": "56FB25B4-6446-4B4B-87AA-D4368B4B8685", "versionEndIncluding": "0.3.9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Vyper is a Pythonic Smart Contract Language. In affected versions the order of evaluation of the arguments of the builtin functions `uint256_addmod`, `uint256_mulmod`, `ecadd` and `ecmul` does not follow source order. This behaviour is problematic when the evaluation of one of the arguments produces side effects that other arguments depend on. A patch is currently being developed on pull request #3583. When using builtins from the list above, users should make sure that the arguments of the expression do not produce side effects or, if one does, that no other argument is dependent on those side effects."}, {"lang": "es", "value": "Vyper es un Lenguaje de Contrato Inteligente de Python. En las versiones afectadas, el orden de evaluaci\u00f3n de los argumentos de las funciones integradas `uint256_addmod`, `uint256_mulmod`, `ecadd` and `ecmul` no sigue el orden de origen. Este comportamiento es problem\u00e1tico cuando la evaluaci\u00f3n de uno de los argumentos produce efectos secundarios de los que dependen otros argumentos. Actualmente se est\u00e1 desarrollando un parche mediante la solicitud de extracci\u00f3n #3583. Al utilizar elementos integrados de la lista anterior, los usuarios deben asegurarse de que los argumentos de la expresi\u00f3n no produzcan efectos secundarios o, si los produce, que ning\u00fan otro argumento dependa de esos efectos secundarios."}], "id": "CVE-2023-41052", "lastModified": "2023-09-08T14:08:27.387", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-09-04T18:15:08.657", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/vyperlang/vyper/pull/3583"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-4hg4-9mf5-wxxq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-670"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-670"}], "source": "security-advisories@github.com", "type": "Secondary"}]}