Unrated severityNVD Advisory· Published Mar 26, 2021· Updated Aug 3, 2024
Nimble arbitrary code execution for specially crafted package metadata
CVE-2021-21372
Description
Nimble is a package manager for the Nim programming language. In Nim release version before versions 1.2.10 and 1.4.4, Nimble doCmd is used in different places and can be leveraged to execute arbitrary commands. An attacker can craft a malicious entry in the packages.json package list to trigger code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
9- osv-coords7 versionspkg:rpm/opensuse/nim&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/nim&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/nim&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/nim&distro=openSUSE%20Tumbleweedpkg:rpm/suse/nim&distro=SUSE%20Package%20Hub%2015%20SP2pkg:rpm/suse/nim&distro=SUSE%20Package%20Hub%2015%20SP3pkg:rpm/suse/nim&distro=SUSE%20Package%20Hub%2015%20SP4
< 1.2.12-lp152.2.3.1+ 6 more
- (no CPE)range: < 1.2.12-lp152.2.3.1
- (no CPE)range: < 1.6.6-bp153.2.3.1
- (no CPE)range: < 1.6.6-bp154.2.3.1
- (no CPE)range: < 1.2.12-1.7
- (no CPE)range: < 1.2.12-bp152.4.3.1
- (no CPE)range: < 1.6.6-bp153.2.3.1
- (no CPE)range: < 1.6.6-bp154.2.3.1
- nim-lang/securityv5Range: < 1.2.10
Patches
Vulnerability mechanics
References
4- consensys.net/diligence/vulnerabilities/nim-insecure-ssl-tls-defaults-remote-code-execution/mitrex_refsource_MISC
- github.com/nim-lang/nimble/blob/master/changelog.markdownmitrex_refsource_MISC
- github.com/nim-lang/nimble/commit/7bd63d504a4157b8ed61a51af47fb086ee818c37mitrex_refsource_MISC
- github.com/nim-lang/security/security/advisories/GHSA-rg9f-w24h-962pmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.