Executive Summary

Informations
Name CVE-2023-34449 First vendor Publication 2023-06-14
Vendor Cve Last vendor Modification 2023-06-28

Security-Database Scoring CVSS v3

Cvss vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Overall CVSS Score 5.3
Base Score 5.3 Environmental Score 5.3
impact SubScore 1.4 Temporal Score 5.3
Exploitabality Sub Score 3.9
 
Attack Vector Network Attack Complexity Low
Privileges Required None User Interaction None
Scope Unchanged Confidentiality Impact None
Integrity Impact Low Availability Impact None
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector :
Cvss Base Score N/A Attack Range N/A
Cvss Impact Score N/A Attack Complexity N/A
Cvss Expoit Score N/A Authentication N/A
Calculate full CVSS 2.0 Vectors scores

Detail

ink! is an embedded domain specific language to write smart contracts in Rust for blockchains built on the Substrate framework. Starting in version 4.0.0 and prior to version 4.2.1, the return value when using delegate call mechanics, either through `CallBuilder::delegate` or `ink_env::invoke_contract_delegate`, is decoded incorrectly. This bug was related to the mechanics around decoding a call's return buffer, which was changed as part of pull request 1450. Since this feature was only released in ink! 4.0.0, no previous versions are affected. Users who have an ink! 4.x series contract should upgrade to 4.2.1 to receive a patch.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34449

CWE : Common Weakness Enumeration

% Id Name
50 % CWE-754 Improper Check for Unusual or Exceptional Conditions
50 % CWE-253 Incorrect Check of Function Return Value

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1

Sources (Detail)

Source Url
MISC https://docs.rs/ink_env/4.2.0/ink_env/call/struct.CallBuilder.html#method.del...
https://docs.rs/ink_env/4.2.0/ink_env/fn.invoke_contract_delegate.html
https://github.com/paritytech/ink/commit/f1407ee9f87e5f64d467a22d26ee88f61db7...
https://github.com/paritytech/ink/pull/1450
https://github.com/paritytech/ink/security/advisories/GHSA-853p-5678-hv8f

Alert History

If you want to see full details history, please login or register.
0
1
Date Informations
2023-06-29 00:27:36
  • Multiple Updates
2023-06-15 00:27:15
  • First insertion