_abi_decode input not validated in complex expressions in Vyper
CVE-2023-42460

5.3MEDIUM

Key Information:

Vendor: Vyperlang
Status: Vyper
Vendor: CVE Published:; 27 September 2023

What is CVE-2023-42460?

Vyper is a Pythonic Smart Contract Language for the EVM. The _abi_decode() function does not validate input when it is nested in an expression. Uses of _abi_decode() can be constructed which allow for bounds checking to be bypassed resulting in incorrect results. This issue has not yet been fixed, but a fix is expected in release 0.3.10. Users are advised to reference pull request #3626.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

vyper >= 0.3.4, < 0.3.10

References

https://github.com/vyperlang/vyper/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/vyperlang/vyper/pull/3626

x_refsource_MISC

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 27, 2023
Vulnerability Reserved
Sep 8, 2023

JSON

Vyperlang

What is CVE-2023-42460?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.