Nimble is a package manager for the Nim programming language. In Nim release version before versions 1.2.10 and 1.4.4, Nimble doCmd is used in different places and can be leveraged to execute arbitrary commands. An attacker can craft a malicious entry in the packages.json package list to trigger code execution.
References
Link | Resource |
---|---|
https://consensys.net/diligence/vulnerabilities/nim-insecure-ssl-tls-defaults-remote-code-execution/ | Exploit Third Party Advisory |
https://github.com/nim-lang/nimble/blob/master/changelog.markdown#0130 | Release Notes Third Party Advisory |
https://github.com/nim-lang/nimble/commit/7bd63d504a4157b8ed61a51af47fb086ee818c37 | Patch Third Party Advisory |
https://github.com/nim-lang/security/security/advisories/GHSA-rg9f-w24h-962p | Third Party Advisory |
https://consensys.net/diligence/vulnerabilities/nim-insecure-ssl-tls-defaults-remote-code-execution/ | Exploit Third Party Advisory |
https://github.com/nim-lang/nimble/blob/master/changelog.markdown#0130 | Release Notes Third Party Advisory |
https://github.com/nim-lang/nimble/commit/7bd63d504a4157b8ed61a51af47fb086ee818c37 | Patch Third Party Advisory |
https://github.com/nim-lang/security/security/advisories/GHSA-rg9f-w24h-962p | Third Party Advisory |
Configurations
Configuration 1 (hide)
|
History
21 Nov 2024, 05:48
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : 6.8
v3 : 8.3 |
References | () https://consensys.net/diligence/vulnerabilities/nim-insecure-ssl-tls-defaults-remote-code-execution/ - Exploit, Third Party Advisory | |
References | () https://github.com/nim-lang/nimble/blob/master/changelog.markdown#0130 - Release Notes, Third Party Advisory | |
References | () https://github.com/nim-lang/nimble/commit/7bd63d504a4157b8ed61a51af47fb086ee818c37 - Patch, Third Party Advisory | |
References | () https://github.com/nim-lang/security/security/advisories/GHSA-rg9f-w24h-962p - Third Party Advisory |
Information
Published : 2021-03-26 22:15
Updated : 2024-11-21 05:48
NVD link : CVE-2021-21372
Mitre link : CVE-2021-21372
CVE.ORG link : CVE-2021-21372
JSON object : View
Products Affected
nim-lang
- nim