rpm package
suse/nim&distro=SUSE Package Hub 15 SP4
pkg:rpm/suse/nim&distro=SUSE%20Package%20Hub%2015%20SP4
Vulnerabilities (8)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2021-29495 | — | < 1.6.6-bp154.2.3.1 | 1.6.6-bp154.2.3.1 | May 7, 2021 | Nim is a statically typed compiled systems programming language. In Nim standard library before 1.4.2, httpClient SSL/TLS certificate verification was disabled by default. Users can upgrade to version 1.4.2 to receive a patch or, as a workaround, set "verifyMode = CVerifyPeer" as | ||
| CVE-2021-21373 | — | < 1.6.6-bp154.2.3.1 | 1.6.6-bp154.2.3.1 | Mar 26, 2021 | Nimble is a package manager for the Nim programming language. In Nim release versions before versions 1.2.10 and 1.4.4, "nimble refresh" fetches a list of Nimble packages over HTTPS by default. In case of error it falls back to a non-TLS URL http://irclogs.nim-lang.org/packages.j | ||
| CVE-2021-21374 | — | < 1.6.6-bp154.2.3.1 | 1.6.6-bp154.2.3.1 | Mar 26, 2021 | Nimble is a package manager for the Nim programming language. In Nim release versions before versions 1.2.10 and 1.4.4, "nimble refresh" fetches a list of Nimble packages over HTTPS without full verification of the SSL/TLS certificate due to the default setting of httpClient. An | ||
| CVE-2021-21372 | — | < 1.6.6-bp154.2.3.1 | 1.6.6-bp154.2.3.1 | Mar 26, 2021 | Nimble is a package manager for the Nim programming language. In Nim release version before versions 1.2.10 and 1.4.4, Nimble doCmd is used in different places and can be leveraged to execute arbitrary commands. An attacker can craft a malicious entry in the packages.json package | ||
| CVE-2020-15690 | — | < 1.6.6-bp154.2.3.1 | 1.6.6-bp154.2.3.1 | Jan 30, 2021 | In Nim before 1.2.6, the standard library asyncftpclient lacks a check for whether a message contains a newline character. | ||
| CVE-2020-15694 | — | < 1.6.6-bp154.2.3.1 | 1.6.6-bp154.2.3.1 | Aug 14, 2020 | In Nim 1.2.4, the standard library httpClient fails to properly validate the server response. For example, httpClient.get().contentLength() does not raise any error if a malicious server provides a negative Content-Length. | ||
| CVE-2020-15693 | — | < 1.6.6-bp154.2.3.1 | 1.6.6-bp154.2.3.1 | Aug 14, 2020 | In Nim 1.2.4, the standard library httpClient is vulnerable to a CR-LF injection in the target URL. An injection is possible if the attacker controls any part of the URL provided in a call (such as httpClient.get or httpClient.post), the User-Agent header value, or custom HTTP he | ||
| CVE-2020-15692 | — | < 1.6.6-bp154.2.3.1 | 1.6.6-bp154.2.3.1 | Aug 14, 2020 | In Nim 1.2.4, the standard library browsers mishandles the URL argument to browsers.openDefaultBrowser. This argument can be a local file path that will be opened in the default explorer. An attacker can pass one argument to the underlying open command to execute arbitrary regist |
- CVE-2021-29495May 7, 2021affected < 1.6.6-bp154.2.3.1fixed 1.6.6-bp154.2.3.1
Nim is a statically typed compiled systems programming language. In Nim standard library before 1.4.2, httpClient SSL/TLS certificate verification was disabled by default. Users can upgrade to version 1.4.2 to receive a patch or, as a workaround, set "verifyMode = CVerifyPeer" as
- CVE-2021-21373Mar 26, 2021affected < 1.6.6-bp154.2.3.1fixed 1.6.6-bp154.2.3.1
Nimble is a package manager for the Nim programming language. In Nim release versions before versions 1.2.10 and 1.4.4, "nimble refresh" fetches a list of Nimble packages over HTTPS by default. In case of error it falls back to a non-TLS URL http://irclogs.nim-lang.org/packages.j
- CVE-2021-21374Mar 26, 2021affected < 1.6.6-bp154.2.3.1fixed 1.6.6-bp154.2.3.1
Nimble is a package manager for the Nim programming language. In Nim release versions before versions 1.2.10 and 1.4.4, "nimble refresh" fetches a list of Nimble packages over HTTPS without full verification of the SSL/TLS certificate due to the default setting of httpClient. An
- CVE-2021-21372Mar 26, 2021affected < 1.6.6-bp154.2.3.1fixed 1.6.6-bp154.2.3.1
Nimble is a package manager for the Nim programming language. In Nim release version before versions 1.2.10 and 1.4.4, Nimble doCmd is used in different places and can be leveraged to execute arbitrary commands. An attacker can craft a malicious entry in the packages.json package
- CVE-2020-15690Jan 30, 2021affected < 1.6.6-bp154.2.3.1fixed 1.6.6-bp154.2.3.1
In Nim before 1.2.6, the standard library asyncftpclient lacks a check for whether a message contains a newline character.
- CVE-2020-15694Aug 14, 2020affected < 1.6.6-bp154.2.3.1fixed 1.6.6-bp154.2.3.1
In Nim 1.2.4, the standard library httpClient fails to properly validate the server response. For example, httpClient.get().contentLength() does not raise any error if a malicious server provides a negative Content-Length.
- CVE-2020-15693Aug 14, 2020affected < 1.6.6-bp154.2.3.1fixed 1.6.6-bp154.2.3.1
In Nim 1.2.4, the standard library httpClient is vulnerable to a CR-LF injection in the target URL. An injection is possible if the attacker controls any part of the URL provided in a call (such as httpClient.get or httpClient.post), the User-Agent header value, or custom HTTP he
- CVE-2020-15692Aug 14, 2020affected < 1.6.6-bp154.2.3.1fixed 1.6.6-bp154.2.3.1
In Nim 1.2.4, the standard library browsers mishandles the URL argument to browsers.openDefaultBrowser. This argument can be a local file path that will be opened in the default explorer. An attacker can pass one argument to the underlying open command to execute arbitrary regist