CVE-2021-21374 HIGH

CVE-2021-21374: Nimble fails to validate certificates due to insecure httpClient defaults

Vendor Nim-Lang
Product security
Weakness CWE-348
Published March 26, 2021
Last update August 3, 2024

CVSS base score

8.1/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality Low
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:L

What the vulnerability does

01Description

Nimble is a package manager for the Nim programming language. In Nim release versions before versions 1.2.10 and 1.4.4, "nimble refresh" fetches a list of Nimble packages over HTTPS without full verification of the SSL/TLS certificate due to the default setting of httpClient. An attacker able to perform MitM can deliver a modified package list containing malicious software packages. If the packages are installed and used the attack escalates to untrusted code execution.

Key dates

02Disclosure timeline

March 26, 2021 CVE published
August 3, 2024 Record updated