CVE-2021-21372
8.3
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Summary
Nimble is a package manager for the Nim programming language. In Nim release version before versions 1.2.10 and 1.4.4, Nimble doCmd is used in different places and can be leveraged to execute arbitrary commands. An attacker can craft a malicious entry in the packages.json package list to trigger code execution.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| nim-lang | security | < 1.2.10 | affected |
| nim-lang | security | >= 1.4.0, < 1.4.4 | affected |
Weaknesses
- CWE-20: CWE-20 Improper Input Validation
- CWE-74: CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
ADP Enrichment
CVE Program Container
Additional References
- https://consensys.net/diligence/vulnerabilities/nim-insecure-ssl-tls-defaults-remote-code-execution/
- https://github.com/nim-lang/security/security/advisories/GHSA-rg9f-w24h-962p
- https://github.com/nim-lang/nimble/blob/master/changelog.markdown#0130
- https://github.com/nim-lang/nimble/commit/7bd63d504a4157b8ed61a51af47fb086ee818c37
References
- https://consensys.net/diligence/vulnerabilities/nim-insecure-ssl-tls-defaults-remote-code-execution/
- https://github.com/nim-lang/security/security/advisories/GHSA-rg9f-w24h-962p
- https://github.com/nim-lang/nimble/blob/master/changelog.markdown#0130
- https://github.com/nim-lang/nimble/commit/7bd63d504a4157b8ed61a51af47fb086ee818c37
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.