CVE-2021-21374

Published March 26th, 2021

View on NVD ↗

CVSS v3

8.1

HIGH

CVSS v2

6.8

MEDIUM

Affected

PROJECTS

Description

Nimble is a package manager for the Nim programming language. In Nim release versions before versions 1.2.10 and 1.4.4, "nimble refresh" fetches a list of Nimble packages over HTTPS without full verification of the SSL/TLS certificate due to the default setting of httpClient. An attacker able to perform MitM can deliver a modified package list containing malicious software packages. If the packages are installed and used the attack escalates to untrusted code execution.

nim-lang/Nim

Nim is a statically typed compiled systems programming language. It combines successful concepts from mature languages like Python, Ada and Modula. Its design focuses on efficiency, expressiveness, and elegance (in that order of priority).

GitHub

18K

nim-lang/security

Embargoed security issues that will be made public after a fix is made available. Use https://github.com/nim-lang/security/security

GitHub