CVE-2023-34449: ink! vulnerable to incorrect decoding of storage value when using `DelegateCall`
(updated )
The return value when using delegate call mechanics, either through CallBuilder::delegate or ink_env::invoke_contract_delegate, is being decoded incorrectly.
References
- docs.rs/ink_env/4.2.0/ink_env/call/struct.CallBuilder.html
- docs.rs/ink_env/4.2.0/ink_env/fn.invoke_contract_delegate.html
- github.com/advisories/GHSA-853p-5678-hv8f
- github.com/paritytech/ink
- github.com/paritytech/ink/commit/f1407ee9f87e5f64d467a22d26ee88f61db7f3db
- github.com/paritytech/ink/pull/1450
- github.com/paritytech/ink/security/advisories/GHSA-853p-5678-hv8f
- nvd.nist.gov/vuln/detail/CVE-2023-34449
Detect and mitigate CVE-2023-34449 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →