CVE-2024-24561 - Vulnerability Details - OpenCVE

Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. In versions 0.3.10 and earlier, the bounds check for slices does not account for the ability for start + length to overflow when the values aren't literals. If a slice() function uses a non-literal argument for the start or length variable, this creates the ability for an attacker to overflow the bounds check. This issue can be used to do OOB access to storage, memory or calldata addresses. It can also be used to corrupt the length slot of the respective array.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Vyperlang	Vyper

Configuration 1 [-]

cpe:2.3:a:vyperlang:vyper:*:*:*:*:*:python:*:*

No data.

References

Link	Providers
https://github.com/vyperlang/vyper/blob/b01cd686aa567b32498fefd76bd96b0597c6f099/vyper/builtins/functions.py#L404-L457
https://github.com/vyperlang/vyper/issues/3756
https://github.com/vyperlang/vyper/security/advisories/GHSA-9x7f-gwxq-6f2c

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-02-01T16:37:01.007Z

Updated: 2024-08-01T23:19:52.835Z

Reserved: 2024-01-25T15:09:40.209Z

Link: CVE-2024-24561

Vulnrichment

No data.

NVD

Status : Modified

Published: 2024-02-01T17:15:11.180

Modified: 2024-11-21T08:59:25.447

Link: CVE-2024-24561

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-24561", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-01-25T15:09:40.209Z", "datePublished": "2024-02-01T16:37:01.007Z", "dateUpdated": "2024-08-01T23:19:52.835Z"}, "containers": {"cna": {"title": "Vyper bounds check on built-in `slice()` function can be overflowed", "problemTypes": [{"descriptions": [{"cweId": "CWE-119", "lang": "en", "description": "CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/vyperlang/vyper/security/advisories/GHSA-9x7f-gwxq-6f2c", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-9x7f-gwxq-6f2c"}, {"name": "https://github.com/vyperlang/vyper/issues/3756", "tags": ["x_refsource_MISC"], "url": "https://github.com/vyperlang/vyper/issues/3756"}, {"name": "https://github.com/vyperlang/vyper/blob/b01cd686aa567b32498fefd76bd96b0597c6f099/vyper/builtins/functions.py#L404-L457", "tags": ["x_refsource_MISC"], "url": "https://github.com/vyperlang/vyper/blob/b01cd686aa567b32498fefd76bd96b0597c6f099/vyper/builtins/functions.py#L404-L457"}], "affected": [{"vendor": "vyperlang", "product": "vyper", "versions": [{"version": "<= 0.3.10", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-02-01T17:39:47.539Z"}, "descriptions": [{"lang": "en", "value": "Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. In versions 0.3.10 and earlier, the bounds check for slices does not account for the ability for start + length to overflow when the values aren't literals. If a slice() function uses a non-literal argument for the start or length variable, this creates the ability for an attacker to overflow the bounds check. This issue can be used to do OOB access to storage, memory or calldata addresses. It can also be used to corrupt the length slot of the respective array.\n\n"}], "source": {"advisory": "GHSA-9x7f-gwxq-6f2c", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:19:52.835Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/vyperlang/vyper/security/advisories/GHSA-9x7f-gwxq-6f2c", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-9x7f-gwxq-6f2c"}, {"name": "https://github.com/vyperlang/vyper/issues/3756", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/vyperlang/vyper/issues/3756"}, {"name": "https://github.com/vyperlang/vyper/blob/b01cd686aa567b32498fefd76bd96b0597c6f099/vyper/builtins/functions.py#L404-L457", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/vyperlang/vyper/blob/b01cd686aa567b32498fefd76bd96b0597c6f099/vyper/builtins/functions.py#L404-L457"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vyperlang:vyper:*:*:*:*:*:python:*:*", "matchCriteriaId": "832C489D-4288-46B4-A29E-0E7168748042", "versionEndIncluding": "0.3.10", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. In versions 0.3.10 and earlier, the bounds check for slices does not account for the ability for start + length to overflow when the values aren't literals. If a slice() function uses a non-literal argument for the start or length variable, this creates the ability for an attacker to overflow the bounds check. This issue can be used to do OOB access to storage, memory or calldata addresses. It can also be used to corrupt the length slot of the respective array.\n\n"}, {"lang": "es", "value": "Vyper es un lenguaje de contrato inteligente de python para la m\u00e1quina virtual ethereum. En las versiones 0.3.10 y anteriores, la verificaci\u00f3n de los l\u00edmites para sectores no tiene en cuenta la capacidad de inicio + longitud de desbordarse cuando los valores no son literales. Si una funci\u00f3n slice() utiliza un argumento no literal para la variable de inicio o longitud, esto crea la capacidad para que un atacante desborde la verificaci\u00f3n de los l\u00edmites. Este problema se puede utilizar para realizar acceso OOB a direcciones de almacenamiento, memoria o datos de llamada. Tambi\u00e9n se puede utilizar para corromper la ranura de longitud de la matriz respectiva."}], "id": "CVE-2024-24561", "lastModified": "2024-11-21T08:59:25.447", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-02-01T17:15:11.180", "references": [{"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/vyperlang/vyper/blob/b01cd686aa567b32498fefd76bd96b0597c6f099/vyper/builtins/functions.py#L404-L457"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/vyperlang/vyper/issues/3756"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-9x7f-gwxq-6f2c"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://github.com/vyperlang/vyper/blob/b01cd686aa567b32498fefd76bd96b0597c6f099/vyper/builtins/functions.py#L404-L457"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking"], "url": "https://github.com/vyperlang/vyper/issues/3756"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-9x7f-gwxq-6f2c"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-119"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}]}