GHSA-c7pr-343r-5c46

Source

https://github.com/advisories/GHSA-c7pr-343r-5c46

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/10/GHSA-c7pr-343r-5c46/GHSA-c7pr-343r-5c46.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-c7pr-343r-5c46

Aliases

Published

2021-10-06T17:48:46Z

Modified

2024-11-18T23:01:14.307492Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

missing clamps for decimal args in external functions

Details

Impact

The following code does not properly validate that its input is in bounds.

@external
def foo(x: decimal) -> decimal:
    return x

Patches

0.3.0 / #2447

Workarounds

Don't use decimal args

Database specific

{
    "nvd_published_at": "2021-10-05T23:15:00Z",
    "cwe_ids": [
        "CWE-682"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2021-10-06T13:26:05Z"
}

References

Affected packages

PyPI / vyper

Package

Name: vyper; View open source insights on deps.dev
Purl: pkg:pypi/vyper

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.3.0

Affected versions

0.*

0.1.0b1

0.1.0b2

0.1.0b3

0.1.0b4

0.1.0b5

0.1.0b6

0.1.0b7

0.1.0b8

0.1.0b9

0.1.0b10

0.1.0b11

0.1.0b12

0.1.0b13

0.1.0b14

0.1.0b15

0.1.0b16

0.1.0b17

0.2.1

0.2.2

0.2.3

0.2.4

0.2.5

0.2.6

0.2.7

0.2.8

0.2.9

0.2.10

0.2.11

0.2.12

0.2.13

0.2.14

0.2.15

0.2.16