CVE-2023-41052 – vyper

Package

Manager: pip
Name: vyper
Vulnerable Version: >=0 <0.3.10rc1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.0007 pctl0.21813

Details

incorrect order of evaluation of side effects for some builtins ### Impact The order of evaluation of the arguments of the builtin functions `uint256_addmod`, `uint256_mulmod`, `ecadd` and `ecmul` does not follow source order. • For `uint256_addmod(a,b,c)` and `uint256_mulmod(a,b,c)`, the order is `c,a,b`. • For `ecadd(a,b)` and `ecmul(a,b)`, the order is `b,a`. Note that this behaviour is problematic when the evaluation of one of the arguments produces side effects that other arguments depend on. ### Patches https://github.com/vyperlang/vyper/pull/3583 ### Workarounds When using builtins from the list above, make sure that the arguments of the expression do not produce side effects or, if one does, that no other argument is dependent on those side effects. ### References _Are there any links users can visit to find out more?_

Metadata

Created: 2023-09-04T16:39:49Z
Modified: 2024-11-19T17:22:23Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-4hg4-9mf5-wxxq/GHSA-4hg4-9mf5-wxxq.json
CWE IDs: ["CWE-670"]
Alternative ID: GHSA-4hg4-9mf5-wxxq
Finding: F164
Auto approve: 1