CVE-2024-22419

{"id": "CVE-2024-22419", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 3.9}]}, "published": "2024-01-18T19:15:10.550", "references": [{"url": "https://github.com/vyperlang/vyper/commit/55e18f6d128b2da8986adbbcccf1cd59a4b9ad6f", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/vyperlang/vyper/issues/3737", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-2q8v-3gqq-4f8p", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-787"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-120"}]}], "descriptions": [{"lang": "en", "value": "Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine. The `concat` built-in can write over the bounds of the memory buffer that was allocated for it and thus overwrite existing valid data. The root cause is that the `build_IR` for `concat` doesn't properly adhere to the API of copy functions (for `>=0.3.2` the `copy_bytes` function). A contract search was performed and no vulnerable contracts were found in production. The buffer overflow can result in the change of semantics of the contract. The overflow is length-dependent and thus it might go unnoticed during contract testing. However, certainly not all usages of concat will result in overwritten valid data as we require it to be in an internal function and close to the return statement where other memory allocations don't occur. This issue has been addressed in 0.4.0."}, {"lang": "es", "value": "Vyper es un lenguaje de contrato inteligente pit\u00f3nico para la m\u00e1quina virtual Ethereum. El `concat` integrado puede escribir sobre los l\u00edmites del b\u00fafer de memoria que se le asign\u00f3 y as\u00ed sobrescribir los datos v\u00e1lidos existentes. La causa principal es que `build_IR` para `concat` no se adhiere correctamente a la API de funciones de copia (para `>=0.3.2` la funci\u00f3n `copy_bytes`). Se realiz\u00f3 una b\u00fasqueda de contratos y no se encontraron contratos vulnerables en producci\u00f3n. El desbordamiento de b\u00fafer puede provocar un cambio en la sem\u00e1ntica del contrato. El desbordamiento depende de la longitud y, por lo tanto, puede pasar desapercibido durante las pruebas del contrato. Sin embargo, ciertamente no todos los usos de concat dar\u00e1n como resultado la sobrescritura de datos v\u00e1lidos, ya que requerimos que est\u00e9n en una funci\u00f3n interna y cerca de la declaraci\u00f3n de devoluci\u00f3n donde no ocurren otras asignaciones de memoria. Este problema se solucion\u00f3 en el commit `55e18f6d1` que se incluir\u00e1 en versiones futuras. Se recomienda a los usuarios que actualicen cuando sea posible."}], "lastModified": "2024-10-09T20:15:07.260", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:vyperlang:vyper:*:*:*:*:*:python:*:*", "vulnerable": true, "matchCriteriaId": "832C489D-4288-46B4-A29E-0E7168748042", "versionEndIncluding": "0.3.10"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}