GHSA-ph9x-4vc9-m39g
Suggest an improvement- Source
- https://github.com/advisories/GHSA-ph9x-4vc9-m39g
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-ph9x-4vc9-m39g/GHSA-ph9x-4vc9-m39g.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-ph9x-4vc9-m39g
- Aliases
- Published
- 2023-05-12T20:21:00Z
- Modified
- 2024-11-19T16:49:24.897143Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
- 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Vyper vulnerable to incorrect ordering of arguments for kwargs passed to internal calls
- Details
-
Impact
Internal calls to internal functions with more than 1 default argument are compiled incorrectly. Depending on the number of arguments provided in the call, the defaults are added not right-to-left, but left-to-right. If the types are incompatible, typechecking is bypassed. In the
bar()function in the following code,self.foo(13)is compiled toself.foo(13,12)instead ofself.foo(13,1337).@internal def foo(a:uint256 = 12, b:uint256 = 1337): pass @internal def bar(): self.foo(13)note that at the time of publication, the ability to pass kwargs to internal functions is an undocumented feature that does not seem to be widely used.
Patches
patched in c3e68c302aa6e1429946473769dd1232145822ac
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
References
Are there any links users can visit to find out more?
- Database specific
{ "severity": "HIGH", "nvd_published_at": "2023-05-11T22:15:11Z", "github_reviewed_at": "2023-05-12T20:21:00Z", "github_reviewed": true, "cwe_ids": [ "CWE-683" ] }- References
-
- https://github.com/vyperlang/vyper/security/advisories/GHSA-ph9x-4vc9-m39g
- https://nvd.nist.gov/vuln/detail/CVE-2023-32059
- https://github.com/vyperlang/vyper/commit/c3e68c302aa6e1429946473769dd1232145822ac
- https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-79.yaml
- https://github.com/vyperlang/vyper
Affected packages
PyPI / vyper
Package
- Name
- vyper
- View open source insights on deps.dev
- Purl
- pkg:pypi/vyper
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed0.3.8
Affected versions
0.*
0.1.0b1
0.1.0b2
0.1.0b3
0.1.0b4
0.1.0b5
0.1.0b6
0.1.0b7
0.1.0b8
0.1.0b9
0.1.0b10
0.1.0b11
0.1.0b12
0.1.0b13
0.1.0b14
0.1.0b15
0.1.0b16
0.1.0b17
0.2.1
0.2.2
0.2.3
0.2.4
0.2.5
0.2.6
0.2.7
0.2.8
0.2.9
0.2.10
0.2.11
0.2.12
0.2.13
0.2.14
0.2.15
0.2.16
0.3.0
0.3.1
0.3.2
0.3.3
0.3.4
0.3.5
0.3.6
0.3.7