CVE-2021-41122 - OpenCVE

Vyper is a Pythonic Smart Contract Language for the EVM. In affected versions external functions did not properly validate the bounds of decimal arguments. The can lead to logic errors. This issue has been resolved in version 0.3.0.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:S/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Vyperlang	Vyper

Configuration 1 [-]

cpe:2.3:a:vyperlang:vyper:*:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/vyperlang/vyper/pull/2447	Third Party Advisory
https://github.com/vyperlang/vyper/security/advisories/GHSA-c7pr-343r-5c46	Exploit Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2021-10-05T23:00:11

Updated: 2021-10-05T23:00:11

Reserved: 2021-09-15T00:00:00

Link: CVE-2021-41122

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-10-05T23:15:07.487

Modified: 2023-08-02T16:22:18.663

Link: CVE-2021-41122

JSON object: View

Redhat Information

No data.

CWE

CWE-682

{"containers": {"cna": {"affected": [{"product": "vyper", "vendor": "vyperlang", "versions": [{"status": "affected", "version": "< 0.3.0"}]}], "descriptions": [{"lang": "en", "value": "Vyper is a Pythonic Smart Contract Language for the EVM. In affected versions external functions did not properly validate the bounds of decimal arguments. The can lead to logic errors. This issue has been resolved in version 0.3.0."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-682", "description": "CWE-682: Incorrect Calculation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-10-05T23:00:11", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-c7pr-343r-5c46"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/vyperlang/vyper/pull/2447"}], "source": {"advisory": "GHSA-c7pr-343r-5c46", "discovery": "UNKNOWN"}, "title": "Bounds check missing for decimal args in Vyper", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-41122", "STATE": "PUBLIC", "TITLE": "Bounds check missing for decimal args in Vyper"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "vyper", "version": {"version_data": [{"version_value": "< 0.3.0"}]}}]}, "vendor_name": "vyperlang"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Vyper is a Pythonic Smart Contract Language for the EVM. In affected versions external functions did not properly validate the bounds of decimal arguments. The can lead to logic errors. This issue has been resolved in version 0.3.0."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-682: Incorrect Calculation"}]}]}, "references": {"reference_data": [{"name": "https://github.com/vyperlang/vyper/security/advisories/GHSA-c7pr-343r-5c46", "refsource": "CONFIRM", "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-c7pr-343r-5c46"}, {"name": "https://github.com/vyperlang/vyper/pull/2447", "refsource": "MISC", "url": "https://github.com/vyperlang/vyper/pull/2447"}]}, "source": {"advisory": "GHSA-c7pr-343r-5c46", "discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-41122", "datePublished": "2021-10-05T23:00:11", "dateReserved": "2021-09-15T00:00:00", "dateUpdated": "2021-10-05T23:00:11", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vyperlang:vyper:*:*:*:*:*:*:*:*", "matchCriteriaId": "5CA2159A-A4C9-4087-B92C-CDB067277711", "versionEndExcluding": "0.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Vyper is a Pythonic Smart Contract Language for the EVM. In affected versions external functions did not properly validate the bounds of decimal arguments. The can lead to logic errors. This issue has been resolved in version 0.3.0."}, {"lang": "es", "value": "Vyper es un lenguaje de contrato inteligente de Python para el EVM. En las versiones afectadas, las funciones externas no comprueban correctamente los l\u00edmites de los argumentos decimales. Esto puede conllevar a errores l\u00f3gicos. Este problema ha sido resuelto en la versi\u00f3n 0.3.0"}], "id": "CVE-2021-41122", "lastModified": "2023-08-02T16:22:18.663", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Primary"}]}, "published": "2021-10-05T23:15:07.487", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/vyperlang/vyper/pull/2447"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-c7pr-343r-5c46"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-682"}], "source": "security-advisories@github.com", "type": "Primary"}]}