Unrated severityNVD Advisory· Published Mar 26, 2021· Updated Aug 3, 2024
Nimble fails to validate certificates due to insecure httpClient defaults
CVE-2021-21374
Description
Nimble is a package manager for the Nim programming language. In Nim release versions before versions 1.2.10 and 1.4.4, "nimble refresh" fetches a list of Nimble packages over HTTPS without full verification of the SSL/TLS certificate due to the default setting of httpClient. An attacker able to perform MitM can deliver a modified package list containing malicious software packages. If the packages are installed and used the attack escalates to untrusted code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
10- osv-coords7 versionspkg:rpm/opensuse/nim&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/nim&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/nim&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/nim&distro=openSUSE%20Tumbleweedpkg:rpm/suse/nim&distro=SUSE%20Package%20Hub%2015%20SP2pkg:rpm/suse/nim&distro=SUSE%20Package%20Hub%2015%20SP3pkg:rpm/suse/nim&distro=SUSE%20Package%20Hub%2015%20SP4
< 1.2.12-lp152.2.3.1+ 6 more
- (no CPE)range: < 1.2.12-lp152.2.3.1
- (no CPE)range: < 1.6.6-bp153.2.3.1
- (no CPE)range: < 1.6.6-bp154.2.3.1
- (no CPE)range: < 1.2.12-1.7
- (no CPE)range: < 1.2.12-bp152.4.3.1
- (no CPE)range: < 1.6.6-bp153.2.3.1
- (no CPE)range: < 1.6.6-bp154.2.3.1
- nim-lang/securityv5Range: < 1.2.10
Patches
Vulnerability mechanics
References
4- consensys.net/diligence/vulnerabilities/nim-insecure-ssl-tls-defaults-remote-code-execution/mitrex_refsource_MISC
- github.com/nim-lang/Nim/pull/16940mitrex_refsource_MISC
- github.com/nim-lang/nimble/blob/master/changelog.markdownmitrex_refsource_MISC
- github.com/nim-lang/security/security/advisories/GHSA-c2wm-v66h-xhxxmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.