CVE-2024-24560

Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine. When calls to external contracts are made, we write the input buffer starting at byte 28, and allocate the return buffer to start at byte 0 (overlapping with the input buffer). When checking RETURNDATASIZE for dynamic types, the size is compared only to the minimum allowed size for that type, and not to the returned value's length. As a result, malformed return data can cause the contract to mistake data from the input buffer for returndata. When the called contract returns invalid ABIv2 encoded data, the calling contract can read different invalid data (from the dirty buffer) than the called contract returned.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/vyperlang/vyper/security/advisories/GHSA-gp3w-2v2m-p686	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:vyperlang:vyper:*:*:*:*:*:python:*:*

History

12 Feb 2024, 15:23

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~3.7~~	v2 : unknown v3 : 5.3
CPE		cpe:2.3:a:vyperlang:vyper::::::python::*
First Time		Vyperlang vyper Vyperlang
References	~~() https://github.com/vyperlang/vyper/security/advisories/GHSA-gp3w-2v2m-p686 -~~	() https://github.com/vyperlang/vyper/security/advisories/GHSA-gp3w-2v2m-p686 - Exploit, Vendor Advisory

02 Feb 2024, 21:13

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-02-02 17:15

Updated : 2024-02-12 15:23

NVD link : CVE-2024-24560

Mitre link : CVE-2024-24560

CVE.ORG link : CVE-2024-24560

JSON object : View

Products Affected

vyperlang

vyper

CWE

CWE-119

Improper Restriction of Operations within the Bounds of a Memory Buffer

{"id": "CVE-2024-24560", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.2}]}, "published": "2024-02-02T17:15:11.720", "references": [{"url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-gp3w-2v2m-p686", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-119"}]}], "descriptions": [{"lang": "en", "value": "Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine. When calls to external contracts are made, we write the input buffer starting at byte 28, and allocate the return buffer to start at byte 0 (overlapping with the input buffer). When checking RETURNDATASIZE for dynamic types, the size is compared only to the minimum allowed size for that type, and not to the returned value's length. As a result, malformed return data can cause the contract to mistake data from the input buffer for returndata. When the called contract returns invalid ABIv2 encoded data, the calling contract can read different invalid data (from the dirty buffer) than the called contract returned."}, {"lang": "es", "value": "Vyper es un lenguaje de contrato inteligente pit\u00f3nico para la m\u00e1quina virtual Ethereum. Cuando se realizan llamadas a contratos externos, escribimos el b\u00fafer de entrada comenzando en el byte 28 y asignamos el b\u00fafer de retorno para que comience en el byte 0 (superponi\u00e9ndose con el b\u00fafer de entrada). Al verificar RETURNDATASIZE para tipos din\u00e1micos, el tama\u00f1o se compara solo con el tama\u00f1o m\u00ednimo permitido para ese tipo y no con la longitud del valor devuelto. Como resultado, los datos de devoluci\u00f3n con formato incorrecto pueden hacer que el contrato confunda los datos del b\u00fafer de entrada con los datos de devoluci\u00f3n. Cuando el contrato llamado devuelve datos codificados ABIv2 no v\u00e1lidos, el contrato que llama puede leer datos no v\u00e1lidos diferentes (del b\u00fafer sucio) que los devueltos por el contrato llamado."}], "lastModified": "2024-02-12T15:23:42.867", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:vyperlang:vyper:*:*:*:*:*:python:*:*", "vulnerable": true, "matchCriteriaId": "832C489D-4288-46B4-A29E-0E7168748042", "versionEndIncluding": "0.3.10"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}