| Name | CVE-2021-21372 |
| Description | Nimble is a package manager for the Nim programming language. In Nim release version before versions 1.2.10 and 1.4.4, Nimble doCmd is used in different places and can be leveraged to execute arbitrary commands. An attacker can craft a malicious entry in the packages.json package list to trigger code execution. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 987272 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| nim (PTS) | bullseye | 1.4.6+really1.4.2-2 | fixed |
| bookworm | 1.6.10-2 | fixed |
| sid | 1.6.14-3 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| nim | source | (unstable) | 1.4.6+really1.4.2-1 | | | 987272 |
Notes
[buster] - nim <no-dsa> (Minor issue)
[stretch] - nim <postponed> (Minor issue; can be fixed in next update)
https://consensys.net/diligence/vulnerabilities/nim-insecure-ssl-tls-defaults-remote-code-execution/
Initially fixed in 1.4.6-1, but then reverted to 1.4.2 due to bullseye freeze