CVE-2023-46247

Published: Dic 13, 2023 Last Modified: Nov 21, 2024 EU-VD ID: EUVD-2023-0276 Aliases: GHSA-6m97-7527-mh74, PYSEC-2023-307
ExploitDB:
Other exploit source:
Google Dorks:
HIGH 7,5
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: none
User Interaction: none
Scope: unchanged
Confidentiality: none
Integrity: high
Availability: none

Description

AI Translation Available

Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine (EVM). Contracts containing large arrays might underallocate the number of slots they need by 1. Prior to v0.3.8, the calculation to determine how many slots a storage variable needed used `math.ceil(type_.size_in_bytes / 32)`. The intermediate floating point step can produce a rounding error if there are enough bits set in the IEEE-754 mantissa. Roughly speaking, if `type_.size_in_bytes` is large (> 2**46), and slightly less than a power of 2, the calculation can overestimate how many slots are needed by 1. If `type_.size_in_bytes` is slightly more than a power of 2, the calculation can underestimate how many slots are needed by 1. This issue is patched in version 0.3.8.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score
0,0034
Percentile
0,6th
Updated

EPSS Score Trend (Last 90 Days)

193

Off-by-one Error

Draft
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Availability Integrity Confidentiality Access Control
Potential Impacts:
Dos: Crash, Exit, Or Restart Dos: Resource Consumption (Cpu) Dos: Resource Consumption (Memory) Dos: Instability Modify Memory Execute Unauthorized Code Or Commands Bypass Protection Mechanism
Applicable Platforms
Languages: C, Not Language-Specific
View CWE Details
682

Incorrect Calculation

Draft
Abstraction: Pillar Structure: Simple
Common Consequences
Security Scopes Affected:
Availability Integrity Confidentiality Access Control
Potential Impacts:
Dos: Crash, Exit, Or Restart Dos: Resource Consumption (Other) Execute Unauthorized Code Or Commands Gain Privileges Or Assume Identity Bypass Protection Mechanism
Applicable Platforms
All platforms may be affected
Likelihood of Exploit: High
View CWE Details
Application

Vyper by Vyperlang

Product Information
Vendor Vyperlang
Product Vyper
Version Range Affected
To 0.3.8 (exclusive)
cpe:2.3:a:vyperlang:vyper:*:*:*:*:*:python:*:*
Common Platform Enumeration - Standardized vulnerability identification
https://github.com/vyperlang/vyper/blob/6020b8bbf66b062d299…
Product
https://github.com/vyperlang/vyper/blob/6020b8bbf66b062d299d87bc7e4eddc4c9d1c15…
https://github.com/vyperlang/vyper/commit/0bb7203b584e771b2…
Patch
https://github.com/vyperlang/vyper/commit/0bb7203b584e771b23536ba065a6efda45716…
https://github.com/vyperlang/vyper/security/advisories/GHSA…
Third Party Advisory
https://github.com/vyperlang/vyper/security/advisories/GHSA-6m97-7527-mh74
https://github.com/vyperlang/vyper/blob/6020b8bbf66b062d299…
Product
https://github.com/vyperlang/vyper/blob/6020b8bbf66b062d299d87bc7e4eddc4c9d1c15…
https://github.com/vyperlang/vyper/commit/0bb7203b584e771b2…
Patch
https://github.com/vyperlang/vyper/commit/0bb7203b584e771b23536ba065a6efda45716…
https://github.com/vyperlang/vyper/security/advisories/GHSA…
Third Party Advisory
https://github.com/vyperlang/vyper/security/advisories/GHSA-6m97-7527-mh74