Nimble is a package manager for the Nim programming language. In Nim release version before versions 1.2.10 and 1.4.4, Nimble doCmd is used in different places and can be leveraged to execute arbitrary commands. An attacker can craft a malicious entry in the packages.json package list to trigger code execution.
References
Link | Resource |
---|---|
https://consensys.net/diligence/vulnerabilities/nim-insecure-ssl-tls-defaults-remote-code-execution/ | Exploit Third Party Advisory |
https://github.com/nim-lang/nimble/blob/master/changelog.markdown#0130 | Release Notes Third Party Advisory |
https://github.com/nim-lang/nimble/commit/7bd63d504a4157b8ed61a51af47fb086ee818c37 | Patch Third Party Advisory |
https://github.com/nim-lang/security/security/advisories/GHSA-rg9f-w24h-962p | Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: GitHub_M
Published: 2021-03-26T21:20:15
Updated: 2021-03-26T21:20:15
Reserved: 2020-12-22T00:00:00
Link: CVE-2021-21372
JSON object: View
NVD Information
Status : Analyzed
Published: 2021-03-26T22:15:12.697
Modified: 2022-10-24T17:14:16.087
Link: CVE-2021-21372
JSON object: View
Redhat Information
No data.