CVE-2023-32059

Опубликовано: 11 мая 2023

Источник: nvd

CVSS3: 7.5

EPSS Низкий

Описание

Vyper is a Pythonic smart contract language for the Ethereum virtual machine. Prior to version 0.3.8, internal calls with default arguments are compiled incorrectly. Depending on the number of arguments provided in the call, the defaults are added not right-to-left, but left-to-right. If the types are incompatible, typechecking is bypassed. The ability to pass kwargs to internal functions is an undocumented feature that is not well known about. The issue is patched in version 0.3.8.

Ссылки

https://github.com/vyperlang/vyper/commit/c3e68c302aa6e1429946473769dd1232145822ac
Patch
https://github.com/vyperlang/vyper/security/advisories/GHSA-ph9x-4vc9-m39g
Exploit
Vendor Advisory
https://github.com/vyperlang/vyper/commit/c3e68c302aa6e1429946473769dd1232145822ac
Patch
https://github.com/vyperlang/vyper/security/advisories/GHSA-ph9x-4vc9-m39g
Exploit
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:vyperlang:vyper:*:*:*:*:*:*:*:*

Версия до 0.3.8 (исключая)

EPSS

Процентиль: 20%

0.00064

Низкий

7.5 High

CVSS3

Дефекты

CWE-683

NVD-CWE-noinfo

Связанные уязвимости

GHSA-ph9x-4vc9-m39g