CVE-2022-39354 – evm

Package

Manager: cargo
Name: evm
Vulnerable Version: >=0 <0.36.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00073 pctl0.22665

Details

Incorrect is_static parameter for custom stateful precompiles in SputnikVM (evm) ### Impact A custom stateful precompile can use the `is_static` parameter to determine if the call is executed in a static context (via `STATICCALL`), and thus decide if stateful operations should be done. Previously, the passed `is_static` parameter was incorrect -- it was only set to `true` if the call comes from a **direct** `STATICCALL` opcode. However, once a static call context is entered, it should stay static. The issue only impacts custom precompiles that actually uses `is_static`. The maintainers estimate the usage is low. However, for those affected, it can lead to possible incorrect state transitions. ### Patches PR: https://github.com/rust-blockchain/evm/pull/133 Released in v0.36.0. Older patch versions can be released on request if anyone needs them. Simply contact @sorpaas by email to request it. ### For more information If you have any questions or comments about this advisory: * Open an issue in [evm repo](https://github.com/rust-blockchain/evm) * Email Wei at [wei@that.world](mailto:wei@that.world)

Metadata

Created: 2022-10-25T22:27:21Z
Modified: 2022-10-25T22:27:21Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-hhc4-47rh-cr34/GHSA-hhc4-47rh-cr34.json
CWE IDs: ["CWE-670"]
Alternative ID: GHSA-hhc4-47rh-cr34
Finding: F164
Auto approve: 1