CVE-2022-24787

HIGH7.5EPSS 0.24%

Incorrect Comparison in Vyper

發布日:2022/4/4修改日:2024/12/5
也稱為:GHSA-7vrm-3jc8-5wwmPYSEC-2022-196

描述

### Impact bytestrings can have dirty bytes in them, resulting in the word-for-word comparison to give incorrect results, e.g. ```vyper b1: Bytes[32] = b"abcdef" b1 = slice(b1, 0, 1) b2: Bytes[32] = b"abcdef" t: bool = b1 == b2 # incorrectly evaluates to True ``` even without dirty nonzero bytes, because there is no comparison of the length, two bytestrings can compare to equal if one ends with `"\x00"`. ```vyper b1: Bytes[32] = b"abc\0" b2: Bytes[32] = b"abc" t: bool = b1 == b2 # incorrectly evaluates to True ``` ### Patches fixed in https://github.com/vyperlang/vyper/commit/2c73f8352635c0a433423a5b94740de1a118e508

受影響套件(2)

  • PyPI/vyperfrom 0, < 0.3.2
  • PyPI/vyperfrom 0, < 2c73f8352635c0a433423a5b94740de1a118e508 | from 0, < 0.3.2

CVSS 分數

來源版本嚴重程度向量
osvCVSS 3.1HIGH7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

參考連結(4)