Evm
CVE-2022-39354
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
1DescriptionNVD
SputnikVM, also called evm, is a Rust implementation of Ethereum Virtual Machine. A custom stateful precompile can use the is_static parameter to determine if the call is executed in a static context (via STATICCALL), and thus decide if stateful operations should be done. Prior to version 0.36.0, the passed is_static parameter was incorrect -- it was only set to true if the call came from a direct STATICCALL opcode. However, once a static call context is entered, it should stay static. The issue only impacts custom precompiles that actually uses is_static. For those affected, the issue can lead to possible incorrect state transitions. Version 0.36.0 contains a patch. There are no known workarounds.
AnalysisAI
SputnikVM, also called evm, is a Rust implementation of Ethereum Virtual Machine. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Technical ContextAI
This vulnerability is classified under CWE-670. SputnikVM, also called evm, is a Rust implementation of Ethereum Virtual Machine. A custom stateful precompile can use the is_static parameter to determine if the call is executed in a static context (via STATICCALL), and thus decide if stateful operations should be done. Prior to version 0.36.0, the passed is_static parameter was incorrect -- it was only set to true if the call came from a direct STATICCALL opcode. However, once a static call context is entered, it should stay static. The issue only impacts custom precompiles that actually uses is_static. For those affected, the issue can lead to possible incorrect state transitions. Version 0.36.0 contains a patch. There are no known workarounds. Affected products include: Evm Project Evm. Version information: version 0.36.0.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
The evm crate is a pure Rust implementation of Ethereum Virtual Machine. Rated critical severity (CVSS 9.8), this vulner
evm is a pure Rust implementation of Ethereum Virtual Machine. Rated medium severity (CVSS 6.5), this vulnerability is r
Rust EVM is an Ethereum Virtual Machine interpreter. Rated medium severity (CVSS 5.9), this vulnerability is remotely ex
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today