PYSEC-2024-147
See a problem?- Import Source
- https://github.com/pypa/advisory-database/blob/main/vulns/vyper/PYSEC-2024-147.yaml
- JSON Data
- https://api.osv.dev/v1/vulns/PYSEC-2024-147
- Aliases
- Published
- 2024-02-05T21:15:00Z
- Modified
- 2024-11-21T14:57:09.681968Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- [none]
- Details
-
Vyper is a Pythonic Smart Contract Language for the EVM. There is an error in the stack management when compiling the
IRforsha3_64. Concretely, theheightvariable is miscalculated. The vulnerability can't be triggered without writing theIRby hand (that is, it cannot be triggered from regular vyper code).sha3_64is used for retrieval in mappings. No flow that would cache thekeywas found so the issue shouldn't be possible to trigger when compiling the compiler-generatedIR. This issue isn't triggered during normal compilation of vyper code so the impact is low. At the time of publication there is no patch available. - References
Affected packages
PyPI / vyper
Package
- Name
- vyper
- View open source insights on deps.dev
- Purl
- pkg:pypi/vyper
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed0.4.0b1
Affected versions
0.*
0.1.0b1
0.1.0b2
0.1.0b3
0.1.0b4
0.1.0b5
0.1.0b6
0.1.0b7
0.1.0b8
0.1.0b9
0.1.0b10
0.1.0b11
0.1.0b12
0.1.0b13
0.1.0b14
0.1.0b15
0.1.0b16
0.1.0b17
0.2.1
0.2.2
0.2.3
0.2.4
0.2.5
0.2.6
0.2.7
0.2.8
0.2.9
0.2.10
0.2.11
0.2.12
0.2.13
0.2.14
0.2.15
0.2.16
0.3.0
0.3.1
0.3.2
0.3.3
0.3.4
0.3.5
0.3.6
0.3.7
0.3.8
0.3.9
0.3.10rc1
0.3.10rc2
0.3.10rc3
0.3.10rc4
0.3.10rc5
0.3.10