CVE-2021-21373 HIGH

CVE-2021-21373: Nimble falls back to insecure http url when fetching packages

Vendor Nim-Lang
Product security
Weakness CWE-348
Published March 26, 2021
Last update August 3, 2024

CVSS base score

7.5/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Confidentiality Low
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:L

What the vulnerability does

01Description

Nimble is a package manager for the Nim programming language. In Nim release versions before versions 1.2.10 and 1.4.4, "nimble refresh" fetches a list of Nimble packages over HTTPS by default. In case of error it falls back to a non-TLS URL http://irclogs.nim-lang.org/packages.json. An attacker able to perform MitM can deliver a modified package list containing malicious software packages. If the packages are installed and used the attack escalates to untrusted code execution.

Key dates

02Disclosure timeline

March 26, 2021 CVE published
August 3, 2024 Record updated