Vulnerability Description
Nimble is a package manager for the Nim programming language. In Nim release version before versions 1.2.10 and 1.4.4, Nimble doCmd is used in different places and can be leveraged to execute arbitrary commands. An attacker can craft a malicious entry in the packages.json package list to trigger code execution.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Nim-Lang | Nim | < 1.2.10 |
Related Weaknesses (CWE)
References
- https://consensys.net/diligence/vulnerabilities/nim-insecure-ssl-tls-defaults-reExploitThird Party Advisory
- https://github.com/nim-lang/nimble/blob/master/changelog.markdown#0130Release NotesThird Party Advisory
- https://github.com/nim-lang/nimble/commit/7bd63d504a4157b8ed61a51af47fb086ee818cPatchThird Party Advisory
- https://github.com/nim-lang/security/security/advisories/GHSA-rg9f-w24h-962pThird Party Advisory
- https://consensys.net/diligence/vulnerabilities/nim-insecure-ssl-tls-defaults-reExploitThird Party Advisory
- https://github.com/nim-lang/nimble/blob/master/changelog.markdown#0130Release NotesThird Party Advisory
- https://github.com/nim-lang/nimble/commit/7bd63d504a4157b8ed61a51af47fb086ee818cPatchThird Party Advisory
- https://github.com/nim-lang/security/security/advisories/GHSA-rg9f-w24h-962pThird Party Advisory
FAQ
What is CVE-2021-21372?
CVE-2021-21372 is a vulnerability with a CVSS score of 8.3 (HIGH). Nimble is a package manager for the Nim programming language. In Nim release version before versions 1.2.10 and 1.4.4, Nimble doCmd is used in different places and can be leveraged to execute arbitrar...
How severe is CVE-2021-21372?
CVE-2021-21372 has been rated HIGH with a CVSS base score of 8.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-21372?
Check the references section above for vendor advisories and patch information. Affected products include: Nim-Lang Nim.