QwikSec

Security Database

CVE

CWE

Training

CVE-2023-34449

Published: Jun 14, 2023

Modified: Dec 30, 2024

PUBLISHED

CVSS v3.1

5.3

MEDIUM

Description

ink! is an embedded domain specific language to write smart contracts in Rust for blockchains built on the Substrate framework. Starting in version 4.0.0 and prior to version 4.2.1, the return value when using delegate call mechanics, either through `CallBuilder::delegate` or `ink_env::invoke_contract_delegate`, is decoded incorrectly. This bug was related to the mechanics around decoding a call's return buffer, which was changed as part of pull request 1450. Since this feature was only released in ink! 4.0.0, no previous versions are affected. Users who have an ink! 4.x series contract should upgrade to 4.2.1 to receive a patch.

Vendor	Product	Versions
paritytech	ink	affected `>= 4.0.0, < 4.2.1`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

References

https://github.com/paritytech/ink/security/advisories/GHSA-853p-5678-hv8f

x_refsource_CONFIRM

https://github.com/paritytech/ink/pull/1450

x_refsource_MISC

https://github.com/paritytech/ink/commit/f1407ee9f87e5f64d467a22d26ee88f61db7f3db

x_refsource_MISC

https://docs.rs/ink_env/4.2.0/ink_env/call/struct.CallBuilder.html#method.delegate

x_refsource_MISC

https://docs.rs/ink_env/4.2.0/ink_env/fn.invoke_contract_delegate.html

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.