CVE-2021-21374

Summary

Nimble is a package manager for the Nim programming language. In Nim release versions before versions 1.2.10 and 1.4.4, "nimble refresh" fetches a list of Nimble packages over HTTPS without full verification of the SSL/TLS certificate due to the default setting of httpClient. An attacker able to perform MitM can deliver a modified package list containing malicious software packages. If the packages are installed and used the attack escalates to untrusted code execution.

Affected Software

VendorProductVersion RangeStatus
nim-langsecurity< 1.2.10affected
nim-langsecurity>= 1.4.0, < 1.4.4affected

Weaknesses

  • CWE-348: CWE-348 Use of Less Trusted Source
  • CWE-599: CWE-599: Missing Validation of OpenSSL Certificate
  • CWE-349: CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data

ADP Enrichment

CVE Program Container

Additional References

References