CVE-2024-21629

EPSS 0.58%
Veröffentlicht 02.01.2024 22:15:09
Zuletzt bearbeitet 21.11.2024 08:54:45
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Erroneous handling of `record_external_operation` error return

Rust EVM is an Ethereum Virtual Machine interpreter. In `rust-evm`, a feature called `record_external_operation` was introduced, allowing library users to record custom gas changes. This feature can have some bogus interactions with the call stack. In particular, during finalization of a `CREATE` or `CREATE2`, in the case that the substack execution happens successfully, `rust-evm` will first commit the substate, and then call `record_external_operation(Write(out_code.len()))`. If `record_external_operation` later fails, this error is returned to the parent call stack, instead of `Succeeded`. Yet, the substate commitment already happened. This causes smart contracts able to commit state changes, when the parent caller contract receives zero address (which usually indicates that the execution has failed). This issue only impacts library users with custom `record_external_operation` that returns errors. The issue is patched in release 0.41.1. No known workarounds are available.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 7

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Evm Project ≫ Evm SwPlatformrust Version < 0.41.1

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.58%	0.429

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
security-advisories@github.com	5.9	2.2	3.6	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE-703 Improper Check or Handling of Exceptional Conditions

The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product.

https://github.com/rust-ethereum/evm/blob/release-v041/src/executor/stack/executor.rs#L1012C25-L1012C69

Product

https://github.com/rust-ethereum/evm/commit/d8991ec727ad0fb64fe9957a3cd307387a6701e4

Patch

https://github.com/rust-ethereum/evm/pull/264

Patch

https://github.com/rust-ethereum/evm/security/advisories/GHSA-27wg-99g8-2v4v

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-21629

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-21629

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-21629

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-21629