GHSA-c7pr-343r-5c46

Suggest an improvement
Source
https://github.com/advisories/GHSA-c7pr-343r-5c46
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/10/GHSA-c7pr-343r-5c46/GHSA-c7pr-343r-5c46.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-c7pr-343r-5c46
Aliases
Related
Published
2021-10-06T17:48:46Z
Modified
2026-01-30T00:31:41.793876Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
  • 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
missing clamps for decimal args in external functions
Details

Impact

The following code does not properly validate that its input is in bounds.

@external
def foo(x: decimal) -> decimal:
    return x

Patches

0.3.0 / #2447

Workarounds

Don't use decimal args

Database specific 
{
    "cwe_ids": [
        "CWE-682"
    ],
    "github_reviewed": true,
    "severity": "MODERATE",
    "nvd_published_at": "2021-10-05T23:15:00Z",
    "github_reviewed_at": "2021-10-06T13:26:05Z"
}
References

Affected packages

PyPI / vyper

Package

Name
vyper
View open source insights on deps.dev
Purl
pkg:pypi/vyper

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.3.0

Affected versions

0.*
0.1.0b1
0.1.0b2
0.1.0b3
0.1.0b4
0.1.0b5
0.1.0b6
0.1.0b7
0.1.0b8
0.1.0b9
0.1.0b10
0.1.0b11
0.1.0b12
0.1.0b13
0.1.0b14
0.1.0b15
0.1.0b16
0.1.0b17
0.2.1
0.2.2
0.2.3
0.2.4
0.2.5
0.2.6
0.2.7
0.2.8
0.2.9
0.2.10
0.2.11
0.2.12
0.2.13
0.2.14
0.2.15
0.2.16

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/10/GHSA-c7pr-343r-5c46/GHSA-c7pr-343r-5c46.json"