CVE-2023-34449 : ink! is an embedded domain specific language to write smart contracts in Rust fo

ink! is an embedded domain specific language to write smart contracts in Rust for blockchains built on the Substrate framework. Starting in version 4.0.0 and prior to version 4.2.1, the return value when using delegate call mechanics, either through `CallBuilder::delegate` or `ink_env::invoke_contract_delegate`, is decoded incorrectly. This bug was related to the mechanics around decoding a call's return buffer, which was changed as part of pull request 1450. Since this feature was only released in ink! 4.0.0, no previous versions are affected. Users who have an ink! 4.x series contract should upgrade to 4.2.1 to receive a patch.

Published 2023-06-14 21:15:10

Updated 2023-06-28 20:46:31

Source GitHub, Inc.

View at NVD, CVE.org

Products affected by CVE-2023-34449

Parity » Ink! » For Rust
Versions from including (>=) 4.0.0 and before (<) 4.2.1
cpe:2.3:a:parity:ink\!:*:*:*:*:*:rust:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2023-34449

EPSS FAQ

0.22%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 60 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-34449

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N	3.9	1.4	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: Low Availability: None
5.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N	3.9	1.4	GitHub, Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: Low Availability: None

CWE ids for CVE-2023-34449

CWE-253 Incorrect Check of Function Return Value

The product incorrectly checks a return value from a function, which prevents it from detecting errors or exceptional conditions.

Assigned by: security-advisories@github.com (Primary)
CWE-754 Improper Check for Unusual or Exceptional Conditions

The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.

Assigned by: security-advisories@github.com (Primary)

References for CVE-2023-34449

https://github.com/paritytech/ink/pull/1450

Add support for language level errors (`LangError`) by HCastano · Pull Request #1450 · paritytech/ink · GitHub
Patch;Vendor Advisory
https://docs.rs/ink_env/4.2.0/ink_env/fn.invoke_contract_delegate.html

invoke_contract_delegate in ink_env - Rust
Exploit;Third Party Advisory
https://docs.rs/ink_env/4.2.0/ink_env/call/struct.CallBuilder.html#method.delegate

CallBuilder in ink_env::call - Rust
Exploit;Third Party Advisory
https://github.com/paritytech/ink/commit/f1407ee9f87e5f64d467a22d26ee88f61db7f3db

Merge pull request from GHSA-853p-5678-hv8f · paritytech/ink@f1407ee · GitHub
Patch
https://github.com/paritytech/ink/security/advisories/GHSA-853p-5678-hv8f

Incorrect decoding of storage value when using `DelegateCall` · Advisory · paritytech/ink · GitHub
Exploit;Patch;Vendor Advisory

Jump to

Vulnerability Details : CVE-2023-34449

Products affected by CVE-2023-34449

Exploit prediction scoring system (EPSS) score for CVE-2023-34449

CVSS scores for CVE-2023-34449

CWE ids for CVE-2023-34449

References for CVE-2023-34449