CVE-2023-34449 (GCVE-0-2023-34449)

Vulnerability from cvelistv5

Published

2023-06-14 20:10

Modified

2024-12-30 14:57

Severity ?

5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE

CWE-754 - Improper Check for Unusual or Exceptional Conditions
CWE-253 - Incorrect Check of Function Return Value

Summary

ink! is an embedded domain specific language to write smart contracts in Rust for blockchains built on the Substrate framework. Starting in version 4.0.0 and prior to version 4.2.1, the return value when using delegate call mechanics, either through `CallBuilder::delegate` or `ink_env::invoke_contract_delegate`, is decoded incorrectly. This bug was related to the mechanics around decoding a call's return buffer, which was changed as part of pull request 1450. Since this feature was only released in ink! 4.0.0, no previous versions are affected. Users who have an ink! 4.x series contract should upgrade to 4.2.1 to receive a patch.

References

►

URL

Tags

security-advisories@github.com	https://docs.rs/ink_env/4.2.0/ink_env/call/struct.CallBuilder.html#method.delegate	Exploit, Third Party Advisory
security-advisories@github.com	https://docs.rs/ink_env/4.2.0/ink_env/fn.invoke_contract_delegate.html	Exploit, Third Party Advisory
security-advisories@github.com	https://github.com/paritytech/ink/commit/f1407ee9f87e5f64d467a22d26ee88f61db7f3db	Patch
security-advisories@github.com	https://github.com/paritytech/ink/pull/1450	Patch, Vendor Advisory
security-advisories@github.com	https://github.com/paritytech/ink/security/advisories/GHSA-853p-5678-hv8f	Exploit, Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://docs.rs/ink_env/4.2.0/ink_env/call/struct.CallBuilder.html#method.delegate	Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://docs.rs/ink_env/4.2.0/ink_env/fn.invoke_contract_delegate.html	Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/paritytech/ink/commit/f1407ee9f87e5f64d467a22d26ee88f61db7f3db	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/paritytech/ink/pull/1450	Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/paritytech/ink/security/advisories/GHSA-853p-5678-hv8f	Exploit, Patch, Vendor Advisory

Impacted products

	Vendor	Product	Version
	paritytech	ink	Version: >= 4.0.0, < 4.2.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T16:10:07.115Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/paritytech/ink/security/advisories/GHSA-853p-5678-hv8f",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/paritytech/ink/security/advisories/GHSA-853p-5678-hv8f"
          },
          {
            "name": "https://github.com/paritytech/ink/pull/1450",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/paritytech/ink/pull/1450"
          },
          {
            "name": "https://github.com/paritytech/ink/commit/f1407ee9f87e5f64d467a22d26ee88f61db7f3db",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/paritytech/ink/commit/f1407ee9f87e5f64d467a22d26ee88f61db7f3db"
          },
          {
            "name": "https://docs.rs/ink_env/4.2.0/ink_env/call/struct.CallBuilder.html#method.delegate",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://docs.rs/ink_env/4.2.0/ink_env/call/struct.CallBuilder.html#method.delegate"
          },
          {
            "name": "https://docs.rs/ink_env/4.2.0/ink_env/fn.invoke_contract_delegate.html",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://docs.rs/ink_env/4.2.0/ink_env/fn.invoke_contract_delegate.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-34449",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-12-30T14:57:44.585992Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-12-30T14:57:52.199Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "ink",
          "vendor": "paritytech",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 4.0.0, \u003c 4.2.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "ink! is an embedded domain specific language to write smart contracts in Rust for blockchains built on the Substrate framework. Starting in version 4.0.0 and prior to version 4.2.1, the return value when using delegate call mechanics, either through `CallBuilder::delegate` or `ink_env::invoke_contract_delegate`, is decoded incorrectly. This bug was related to the mechanics around decoding a call\u0027s return buffer, which was changed as part of pull request 1450. Since this feature was only released in ink! 4.0.0, no previous versions are affected. Users who have an ink! 4.x series contract should upgrade to 4.2.1 to receive a patch."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-754",
              "description": "CWE-754: Improper Check for Unusual or Exceptional Conditions",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-253",
              "description": "CWE-253: Incorrect Check of Function Return Value",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-06-14T20:11:15.570Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/paritytech/ink/security/advisories/GHSA-853p-5678-hv8f",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/paritytech/ink/security/advisories/GHSA-853p-5678-hv8f"
        },
        {
          "name": "https://github.com/paritytech/ink/pull/1450",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/paritytech/ink/pull/1450"
        },
        {
          "name": "https://github.com/paritytech/ink/commit/f1407ee9f87e5f64d467a22d26ee88f61db7f3db",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/paritytech/ink/commit/f1407ee9f87e5f64d467a22d26ee88f61db7f3db"
        },
        {
          "name": "https://docs.rs/ink_env/4.2.0/ink_env/call/struct.CallBuilder.html#method.delegate",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://docs.rs/ink_env/4.2.0/ink_env/call/struct.CallBuilder.html#method.delegate"
        },
        {
          "name": "https://docs.rs/ink_env/4.2.0/ink_env/fn.invoke_contract_delegate.html",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://docs.rs/ink_env/4.2.0/ink_env/fn.invoke_contract_delegate.html"
        }
      ],
      "source": {
        "advisory": "GHSA-853p-5678-hv8f",
        "discovery": "UNKNOWN"
      },
      "title": "ink! vulnerable to incorrect decoding of storage value when using `DelegateCall`"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-34449",
    "datePublished": "2023-06-14T20:10:54.842Z",
    "dateReserved": "2023-06-06T16:16:53.558Z",
    "dateUpdated": "2024-12-30T14:57:52.199Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-34449\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-06-14T21:15:09.790\",\"lastModified\":\"2024-11-21T08:07:16.673\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"ink! is an embedded domain specific language to write smart contracts in Rust for blockchains built on the Substrate framework. Starting in version 4.0.0 and prior to version 4.2.1, the return value when using delegate call mechanics, either through `CallBuilder::delegate` or `ink_env::invoke_contract_delegate`, is decoded incorrectly. This bug was related to the mechanics around decoding a call\u0027s return buffer, which was changed as part of pull request 1450. Since this feature was only released in ink! 4.0.0, no previous versions are affected. Users who have an ink! 4.x series contract should upgrade to 4.2.1 to receive a patch.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-253\"},{\"lang\":\"en\",\"value\":\"CWE-754\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:parity:ink\\\\!:*:*:*:*:*:rust:*:*\",\"versionStartIncluding\":\"4.0.0\",\"versionEndExcluding\":\"4.2.1\",\"matchCriteriaId\":\"9A457DD0-00EE-42F1-97E4-16089A57EAD5\"}]}]}],\"references\":[{\"url\":\"https://docs.rs/ink_env/4.2.0/ink_env/call/struct.CallBuilder.html#method.delegate\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://docs.rs/ink_env/4.2.0/ink_env/fn.invoke_contract_delegate.html\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/paritytech/ink/commit/f1407ee9f87e5f64d467a22d26ee88f61db7f3db\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/paritytech/ink/pull/1450\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/paritytech/ink/security/advisories/GHSA-853p-5678-hv8f\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://docs.rs/ink_env/4.2.0/ink_env/call/struct.CallBuilder.html#method.delegate\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://docs.rs/ink_env/4.2.0/ink_env/fn.invoke_contract_delegate.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/paritytech/ink/commit/f1407ee9f87e5f64d467a22d26ee88f61db7f3db\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/paritytech/ink/pull/1450\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/paritytech/ink/security/advisories/GHSA-853p-5678-hv8f\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Patch\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/paritytech/ink/security/advisories/GHSA-853p-5678-hv8f\", \"name\": \"https://github.com/paritytech/ink/security/advisories/GHSA-853p-5678-hv8f\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/paritytech/ink/pull/1450\", \"name\": \"https://github.com/paritytech/ink/pull/1450\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/paritytech/ink/commit/f1407ee9f87e5f64d467a22d26ee88f61db7f3db\", \"name\": \"https://github.com/paritytech/ink/commit/f1407ee9f87e5f64d467a22d26ee88f61db7f3db\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://docs.rs/ink_env/4.2.0/ink_env/call/struct.CallBuilder.html#method.delegate\", \"name\": \"https://docs.rs/ink_env/4.2.0/ink_env/call/struct.CallBuilder.html#method.delegate\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://docs.rs/ink_env/4.2.0/ink_env/fn.invoke_contract_delegate.html\", \"name\": \"https://docs.rs/ink_env/4.2.0/ink_env/fn.invoke_contract_delegate.html\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T16:10:07.115Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-34449\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-12-30T14:57:44.585992Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-12-30T14:57:48.402Z\"}}], \"cna\": {\"title\": \"ink! vulnerable to incorrect decoding of storage value when using `DelegateCall`\", \"source\": {\"advisory\": \"GHSA-853p-5678-hv8f\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"paritytech\", \"product\": \"ink\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 4.0.0, \u003c 4.2.1\"}]}], \"references\": [{\"url\": \"https://github.com/paritytech/ink/security/advisories/GHSA-853p-5678-hv8f\", \"name\": \"https://github.com/paritytech/ink/security/advisories/GHSA-853p-5678-hv8f\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/paritytech/ink/pull/1450\", \"name\": \"https://github.com/paritytech/ink/pull/1450\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/paritytech/ink/commit/f1407ee9f87e5f64d467a22d26ee88f61db7f3db\", \"name\": \"https://github.com/paritytech/ink/commit/f1407ee9f87e5f64d467a22d26ee88f61db7f3db\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://docs.rs/ink_env/4.2.0/ink_env/call/struct.CallBuilder.html#method.delegate\", \"name\": \"https://docs.rs/ink_env/4.2.0/ink_env/call/struct.CallBuilder.html#method.delegate\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://docs.rs/ink_env/4.2.0/ink_env/fn.invoke_contract_delegate.html\", \"name\": \"https://docs.rs/ink_env/4.2.0/ink_env/fn.invoke_contract_delegate.html\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"ink! is an embedded domain specific language to write smart contracts in Rust for blockchains built on the Substrate framework. Starting in version 4.0.0 and prior to version 4.2.1, the return value when using delegate call mechanics, either through `CallBuilder::delegate` or `ink_env::invoke_contract_delegate`, is decoded incorrectly. This bug was related to the mechanics around decoding a call\u0027s return buffer, which was changed as part of pull request 1450. Since this feature was only released in ink! 4.0.0, no previous versions are affected. Users who have an ink! 4.x series contract should upgrade to 4.2.1 to receive a patch.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-754\", \"description\": \"CWE-754: Improper Check for Unusual or Exceptional Conditions\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-253\", \"description\": \"CWE-253: Incorrect Check of Function Return Value\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2023-06-14T20:11:15.570Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-34449\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-12-30T14:57:52.199Z\", \"dateReserved\": \"2023-06-06T16:16:53.558Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2023-06-14T20:10:54.842Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

gsd-2023-34449

Vulnerability from gsd

Modified

2023-12-13 01:20

Details

Aliases

CVE-2023-34449

Aliases

CVE-2023-34449

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-34449",
    "id": "GSD-2023-34449"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-34449"
      ],
      "details": "ink! is an embedded domain specific language to write smart contracts in Rust for blockchains built on the Substrate framework. Starting in version 4.0.0 and prior to version 4.2.1, the return value when using delegate call mechanics, either through `CallBuilder::delegate` or `ink_env::invoke_contract_delegate`, is decoded incorrectly. This bug was related to the mechanics around decoding a call\u0027s return buffer, which was changed as part of pull request 1450. Since this feature was only released in ink! 4.0.0, no previous versions are affected. Users who have an ink! 4.x series contract should upgrade to 4.2.1 to receive a patch.",
      "id": "GSD-2023-34449",
      "modified": "2023-12-13T01:20:30.516096Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2023-34449",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "ink",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003e= 4.0.0, \u003c 4.2.1"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "paritytech"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "ink! is an embedded domain specific language to write smart contracts in Rust for blockchains built on the Substrate framework. Starting in version 4.0.0 and prior to version 4.2.1, the return value when using delegate call mechanics, either through `CallBuilder::delegate` or `ink_env::invoke_contract_delegate`, is decoded incorrectly. This bug was related to the mechanics around decoding a call\u0027s return buffer, which was changed as part of pull request 1450. Since this feature was only released in ink! 4.0.0, no previous versions are affected. Users who have an ink! 4.x series contract should upgrade to 4.2.1 to receive a patch."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-754",
                "lang": "eng",
                "value": "CWE-754: Improper Check for Unusual or Exceptional Conditions"
              }
            ]
          },
          {
            "description": [
              {
                "cweId": "CWE-253",
                "lang": "eng",
                "value": "CWE-253: Incorrect Check of Function Return Value"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/paritytech/ink/security/advisories/GHSA-853p-5678-hv8f",
            "refsource": "MISC",
            "url": "https://github.com/paritytech/ink/security/advisories/GHSA-853p-5678-hv8f"
          },
          {
            "name": "https://github.com/paritytech/ink/pull/1450",
            "refsource": "MISC",
            "url": "https://github.com/paritytech/ink/pull/1450"
          },
          {
            "name": "https://github.com/paritytech/ink/commit/f1407ee9f87e5f64d467a22d26ee88f61db7f3db",
            "refsource": "MISC",
            "url": "https://github.com/paritytech/ink/commit/f1407ee9f87e5f64d467a22d26ee88f61db7f3db"
          },
          {
            "name": "https://docs.rs/ink_env/4.2.0/ink_env/call/struct.CallBuilder.html#method.delegate",
            "refsource": "MISC",
            "url": "https://docs.rs/ink_env/4.2.0/ink_env/call/struct.CallBuilder.html#method.delegate"
          },
          {
            "name": "https://docs.rs/ink_env/4.2.0/ink_env/fn.invoke_contract_delegate.html",
            "refsource": "MISC",
            "url": "https://docs.rs/ink_env/4.2.0/ink_env/fn.invoke_contract_delegate.html"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-853p-5678-hv8f",
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:parity:ink\\!:*:*:*:*:*:rust:*:*",
                "cpe_name": [],
                "versionEndExcluding": "4.2.1",
                "versionStartIncluding": "4.0.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2023-34449"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "ink! is an embedded domain specific language to write smart contracts in Rust for blockchains built on the Substrate framework. Starting in version 4.0.0 and prior to version 4.2.1, the return value when using delegate call mechanics, either through `CallBuilder::delegate` or `ink_env::invoke_contract_delegate`, is decoded incorrectly. This bug was related to the mechanics around decoding a call\u0027s return buffer, which was changed as part of pull request 1450. Since this feature was only released in ink! 4.0.0, no previous versions are affected. Users who have an ink! 4.x series contract should upgrade to 4.2.1 to receive a patch."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-754"
                },
                {
                  "lang": "en",
                  "value": "CWE-253"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/paritytech/ink/pull/1450",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Vendor Advisory"
              ],
              "url": "https://github.com/paritytech/ink/pull/1450"
            },
            {
              "name": "https://github.com/paritytech/ink/commit/f1407ee9f87e5f64d467a22d26ee88f61db7f3db",
              "refsource": "MISC",
              "tags": [
                "Patch"
              ],
              "url": "https://github.com/paritytech/ink/commit/f1407ee9f87e5f64d467a22d26ee88f61db7f3db"
            },
            {
              "name": "https://docs.rs/ink_env/4.2.0/ink_env/fn.invoke_contract_delegate.html",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Third Party Advisory"
              ],
              "url": "https://docs.rs/ink_env/4.2.0/ink_env/fn.invoke_contract_delegate.html"
            },
            {
              "name": "https://github.com/paritytech/ink/security/advisories/GHSA-853p-5678-hv8f",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Patch",
                "Vendor Advisory"
              ],
              "url": "https://github.com/paritytech/ink/security/advisories/GHSA-853p-5678-hv8f"
            },
            {
              "name": "https://docs.rs/ink_env/4.2.0/ink_env/call/struct.CallBuilder.html#method.delegate",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Third Party Advisory"
              ],
              "url": "https://docs.rs/ink_env/4.2.0/ink_env/call/struct.CallBuilder.html#method.delegate"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 1.4
        }
      },
      "lastModifiedDate": "2023-06-28T20:46Z",
      "publishedDate": "2023-06-14T21:15Z"
    }
  }
}

fkie_cve-2023-34449

Vulnerability from fkie_nvd

Published

2023-06-14 21:15

Modified

2024-11-21 08:07

Severity ?

5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://docs.rs/ink_env/4.2.0/ink_env/call/struct.CallBuilder.html#method.delegate	Exploit, Third Party Advisory
security-advisories@github.com	https://docs.rs/ink_env/4.2.0/ink_env/fn.invoke_contract_delegate.html	Exploit, Third Party Advisory
security-advisories@github.com	https://github.com/paritytech/ink/commit/f1407ee9f87e5f64d467a22d26ee88f61db7f3db	Patch
security-advisories@github.com	https://github.com/paritytech/ink/pull/1450	Patch, Vendor Advisory
security-advisories@github.com	https://github.com/paritytech/ink/security/advisories/GHSA-853p-5678-hv8f	Exploit, Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://docs.rs/ink_env/4.2.0/ink_env/call/struct.CallBuilder.html#method.delegate	Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://docs.rs/ink_env/4.2.0/ink_env/fn.invoke_contract_delegate.html	Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/paritytech/ink/commit/f1407ee9f87e5f64d467a22d26ee88f61db7f3db	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/paritytech/ink/pull/1450	Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/paritytech/ink/security/advisories/GHSA-853p-5678-hv8f	Exploit, Patch, Vendor Advisory

Impacted products

	Vendor	Product	Version
	parity	ink\!	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:parity:ink\\!:*:*:*:*:*:rust:*:*",
              "matchCriteriaId": "9A457DD0-00EE-42F1-97E4-16089A57EAD5",
              "versionEndExcluding": "4.2.1",
              "versionStartIncluding": "4.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "ink! is an embedded domain specific language to write smart contracts in Rust for blockchains built on the Substrate framework. Starting in version 4.0.0 and prior to version 4.2.1, the return value when using delegate call mechanics, either through `CallBuilder::delegate` or `ink_env::invoke_contract_delegate`, is decoded incorrectly. This bug was related to the mechanics around decoding a call\u0027s return buffer, which was changed as part of pull request 1450. Since this feature was only released in ink! 4.0.0, no previous versions are affected. Users who have an ink! 4.x series contract should upgrade to 4.2.1 to receive a patch."
    }
  ],
  "id": "CVE-2023-34449",
  "lastModified": "2024-11-21T08:07:16.673",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-06-14T21:15:09.790",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://docs.rs/ink_env/4.2.0/ink_env/call/struct.CallBuilder.html#method.delegate"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://docs.rs/ink_env/4.2.0/ink_env/fn.invoke_contract_delegate.html"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/paritytech/ink/commit/f1407ee9f87e5f64d467a22d26ee88f61db7f3db"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://github.com/paritytech/ink/pull/1450"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://github.com/paritytech/ink/security/advisories/GHSA-853p-5678-hv8f"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://docs.rs/ink_env/4.2.0/ink_env/call/struct.CallBuilder.html#method.delegate"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://docs.rs/ink_env/4.2.0/ink_env/fn.invoke_contract_delegate.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/paritytech/ink/commit/f1407ee9f87e5f64d467a22d26ee88f61db7f3db"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://github.com/paritytech/ink/pull/1450"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://github.com/paritytech/ink/security/advisories/GHSA-853p-5678-hv8f"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-253"
        },
        {
          "lang": "en",
          "value": "CWE-754"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

ghsa-853p-5678-hv8f

Vulnerability from github

Published

2023-06-14 20:11

Modified

2023-06-16 17:57

Severity ?

5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Summary

ink! vulnerable to incorrect decoding of storage value when using `DelegateCall`

Details

Summary

The return value when using delegate call mechanics, either through CallBuilder::delegate or ink_env::invoke_contract_delegate, is being decoded incorrectly.

Description

Consider this minimal example:

``rust // First contract, this will be performing a delegate call to theCallee`.

[ink(storage)]

pub struct Caller { value: u128, }

[ink(message)]

pub fn get_value(&self, callee_code_hash: Hash) -> u128 { let result = build_call::() .delegate(callee_code_hash) .exec_input(ExecutionInput::new(Selector::new(ink::selector_bytes!( "get_value" )))) .returns::() .invoke();

result

}

// Different contract, using this code hash for the delegate call.

[ink(storage)]

pub struct Callee { value: u128, }

[ink(message)]

pub fn get_value(&self) -> u128 { self.value } ```

In this example we are executing the Callee code in the context of the Caller contract. This means we'll be using the storage values of the Caller contract.

Running this code we expect the delegate call to return value as it was stored in the Caller contract. However, due to the reported bug a different value is returned (for the case of uints it is 256 times the expected value).

Impact

After conducting an analysis of the on-chain deployments of ink! contracts on Astar, Shiden, Aleph Zero, Amplitude and Pendulum, we have found that no contracts on those chains have been affected by the issue.

This bug was related to the mechanics around decoding a call's return buffer, which was changed as part of https://github.com/paritytech/ink/pull/1450. Since this feature was only released in ink! 4.0.0 no previous versions are affected.

Mitigations

If you have an ink! 4.x series contract, please update it to the 4.2.1 patch release that we just published.

Credits

Thank you Facundo Lerena from CoinFabrik for reporting this problem in a well-structured and responsible way.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "ink"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "ink_env"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-34449"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-253",
      "CWE-754"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-06-14T20:11:38Z",
    "nvd_published_at": "2023-06-14T21:15:09Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nThe return value when using delegate call mechanics, either through [`CallBuilder::delegate`](https://docs.rs/ink_env/4.2.0/ink_env/call/struct.CallBuilder.html#method.delegate) or [`ink_env::invoke_contract_delegate`](https://docs.rs/ink_env/4.2.0/ink_env/fn.invoke_contract_delegate.html), is being decoded incorrectly.\n\n### Description\nConsider this minimal example:\n\n```rust\n// First contract, this will be performing a delegate call to the `Callee`.\n#[ink(storage)]\npub struct Caller {\n    value: u128,\n}\n\n#[ink(message)]\npub fn get_value(\u0026self, callee_code_hash: Hash) -\u003e u128 {\n    let result = build_call::\u003cDefaultEnvironment\u003e()\n        .delegate(callee_code_hash)\n        .exec_input(ExecutionInput::new(Selector::new(ink::selector_bytes!(\n            \"get_value\"\n        ))))\n        .returns::\u003cu128\u003e()\n        .invoke();\n\n    result\n}\n\n// Different contract, using this code hash for the delegate call.\n#[ink(storage)]\npub struct Callee {\n    value: u128,\n}\n\n#[ink(message)]\npub fn get_value(\u0026self) -\u003e u128 {\n    self.value\n}\n```\n\nIn this example we are executing the `Callee` code in the context of the `Caller` contract. This means we\u0027ll be using the storage values of the `Caller` contract.\n\nRunning this code we expect the delegate call to return `value` as it was stored in the `Caller` contract. However, due to the reported bug a different value is returned (for the case of `uint`s it is `256` times the expected value).\n\n### Impact\nAfter conducting an analysis of the on-chain deployments of ink! contracts on Astar, Shiden, Aleph Zero, Amplitude and Pendulum, we have found that no contracts on those chains have been affected by the issue.\n\nThis bug was related to the mechanics around decoding a call\u0027s return buffer, which was changed as part of https://github.com/paritytech/ink/pull/1450. Since this feature was only released in ink! 4.0.0 no previous versions are affected.\n\n### Mitigations\nIf you have an ink! 4.x series contract, please update it to the [4.2.1](https://github.com/paritytech/ink/releases/tag/v4.2.1) patch release that we just published. \n\n### Credits\nThank you Facundo Lerena from [CoinFabrik](https://www.coinfabrik.com) for reporting this problem in a well-structured and responsible way.",
  "id": "GHSA-853p-5678-hv8f",
  "modified": "2023-06-16T17:57:43Z",
  "published": "2023-06-14T20:11:38Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/paritytech/ink/security/advisories/GHSA-853p-5678-hv8f"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34449"
    },
    {
      "type": "WEB",
      "url": "https://github.com/paritytech/ink/pull/1450"
    },
    {
      "type": "WEB",
      "url": "https://github.com/paritytech/ink/commit/f1407ee9f87e5f64d467a22d26ee88f61db7f3db"
    },
    {
      "type": "WEB",
      "url": "https://docs.rs/ink_env/4.2.0/ink_env/call/struct.CallBuilder.html#method.delegate"
    },
    {
      "type": "WEB",
      "url": "https://docs.rs/ink_env/4.2.0/ink_env/fn.invoke_contract_delegate.html"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/paritytech/ink"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "ink! vulnerable to incorrect decoding of storage value when using `DelegateCall`"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2023-34449 (GCVE-0-2023-34449)

Vulnerability from cvelistv5

gsd-2023-34449

Vulnerability from gsd

fkie_cve-2023-34449

Vulnerability from fkie_nvd

ghsa-853p-5678-hv8f

Vulnerability from github

Summary

Description

[ink(storage)]

[ink(message)]

[ink(storage)]

[ink(message)]

Impact

Mitigations

Credits

Tags

Sightings

Nomenclature