GHSA-4hg4-9mf5-wxxq
Suggest an improvement- Source
- https://github.com/advisories/GHSA-4hg4-9mf5-wxxq
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-4hg4-9mf5-wxxq/GHSA-4hg4-9mf5-wxxq.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-4hg4-9mf5-wxxq
- Aliases
- Published
- 2023-09-04T16:39:49Z
- Modified
- 2024-11-19T17:31:20.006094Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
- 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- incorrect order of evaluation of side effects for some builtins
- Details
-
Impact
The order of evaluation of the arguments of the builtin functions
uint256_addmod,uint256_mulmod,ecaddandecmuldoes not follow source order. • Foruint256_addmod(a,b,c)anduint256_mulmod(a,b,c), the order isc,a,b. • Forecadd(a,b)andecmul(a,b), the order isb,a.Note that this behaviour is problematic when the evaluation of one of the arguments produces side effects that other arguments depend on.
Patches
https://github.com/vyperlang/vyper/pull/3583
Workarounds
When using builtins from the list above, make sure that the arguments of the expression do not produce side effects or, if one does, that no other argument is dependent on those side effects.
References
Are there any links users can visit to find out more?
- Database specific
{ "nvd_published_at": "2023-09-04T18:15:08Z", "cwe_ids": [ "CWE-670" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2023-09-04T16:39:49Z" }- References
Affected packages
PyPI / vyper
Package
- Name
- vyper
- View open source insights on deps.dev
- Purl
- pkg:pypi/vyper
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed0.3.10rc1
Affected versions
0.*
0.1.0b1
0.1.0b2
0.1.0b3
0.1.0b4
0.1.0b5
0.1.0b6
0.1.0b7
0.1.0b8
0.1.0b9
0.1.0b10
0.1.0b11
0.1.0b12
0.1.0b13
0.1.0b14
0.1.0b15
0.1.0b16
0.1.0b17
0.2.1
0.2.2
0.2.3
0.2.4
0.2.5
0.2.6
0.2.7
0.2.8
0.2.9
0.2.10
0.2.11
0.2.12
0.2.13
0.2.14
0.2.15
0.2.16
0.3.0
0.3.1
0.3.2
0.3.3
0.3.4
0.3.5
0.3.6
0.3.7
0.3.8
0.3.9