Vulnerability Details CVE-2021-21374
Nimble is a package manager for the Nim programming language. In Nim release versions before versions 1.2.10 and 1.4.4, "nimble refresh" fetches a list of Nimble packages over HTTPS without full verification of the SSL/TLS certificate due to the default setting of httpClient. An attacker able to perform MitM can deliver a modified package list containing malicious software packages. If the packages are installed and used the attack escalates to untrusted code execution.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 50.6%
CVSS Severity
CVSS v3 Score 8.1
CVSS v2 Score 6.8
References
- https://consensys.net/diligence/vulnerabilities/nim-insecure-ssl-tls-defaults-remote-code-execution/
- https://github.com/nim-lang/Nim/pull/16940
- https://github.com/nim-lang/nimble/blob/master/changelog.markdown#0130
- https://github.com/nim-lang/security/security/advisories/GHSA-c2wm-v66h-xhxx
- https://consensys.net/diligence/vulnerabilities/nim-insecure-ssl-tls-defaults-remote-code-execution/
- https://github.com/nim-lang/Nim/pull/16940
- https://github.com/nim-lang/nimble/blob/master/changelog.markdown#0130
- https://github.com/nim-lang/security/security/advisories/GHSA-c2wm-v66h-xhxx
Products affected by CVE-2021-21374
-
cpe:2.3:a:nim-lang:nim:0.10.2
-
cpe:2.3:a:nim-lang:nim:0.11.0
-
cpe:2.3:a:nim-lang:nim:0.11.2
-
cpe:2.3:a:nim-lang:nim:0.12.0
-
cpe:2.3:a:nim-lang:nim:0.13.0
-
cpe:2.3:a:nim-lang:nim:0.14.0
-
cpe:2.3:a:nim-lang:nim:0.14.2
-
cpe:2.3:a:nim-lang:nim:0.15.0
-
cpe:2.3:a:nim-lang:nim:0.15.2
-
cpe:2.3:a:nim-lang:nim:0.16.0
-
cpe:2.3:a:nim-lang:nim:0.17.0
-
cpe:2.3:a:nim-lang:nim:0.17.2
-
cpe:2.3:a:nim-lang:nim:0.18.0
-
cpe:2.3:a:nim-lang:nim:0.19.0
-
cpe:2.3:a:nim-lang:nim:0.19.2
-
cpe:2.3:a:nim-lang:nim:0.19.4
-
cpe:2.3:a:nim-lang:nim:0.19.6
-
cpe:2.3:a:nim-lang:nim:0.20.0
-
cpe:2.3:a:nim-lang:nim:0.20.2
-
cpe:2.3:a:nim-lang:nim:0.8.14
-
cpe:2.3:a:nim-lang:nim:0.9.0
-
cpe:2.3:a:nim-lang:nim:0.9.2
-
cpe:2.3:a:nim-lang:nim:0.9.4
-
cpe:2.3:a:nim-lang:nim:0.9.6
-
cpe:2.3:a:nim-lang:nim:1.0.0
-
cpe:2.3:a:nim-lang:nim:1.0.10
-
cpe:2.3:a:nim-lang:nim:1.0.2
-
cpe:2.3:a:nim-lang:nim:1.0.4
-
cpe:2.3:a:nim-lang:nim:1.0.6
-
cpe:2.3:a:nim-lang:nim:1.0.8
-
cpe:2.3:a:nim-lang:nim:1.2
-
cpe:2.3:a:nim-lang:nim:1.2.0
-
cpe:2.3:a:nim-lang:nim:1.2.2
-
cpe:2.3:a:nim-lang:nim:1.2.4
-
cpe:2.3:a:nim-lang:nim:1.2.6
-
cpe:2.3:a:nim-lang:nim:1.2.8
-
cpe:2.3:a:nim-lang:nim:1.4.0
-
cpe:2.3:a:nim-lang:nim:1.4.2