CVE-2021-21372

NameCVE-2021-21372
DescriptionNimble is a package manager for the Nim programming language. In Nim release version before versions 1.2.10 and 1.4.4, Nimble doCmd is used in different places and can be leveraged to execute arbitrary commands. An attacker can craft a malicious entry in the packages.json package list to trigger code execution.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium
Debian Bugs987272

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
nim (PTS)stretch0.16.0-1vulnerable
buster0.19.4-1vulnerable
bullseye, sid1.4.6+really1.4.2-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
nimsource(unstable)1.4.6+really1.4.2-1987272

Notes

[buster] - nim <no-dsa> (Minor issue)
[stretch] - nim <postponed> (Minor issue; can be fixed in next update)
https://consensys.net/diligence/vulnerabilities/nim-insecure-ssl-tls-defaults-remote-code-execution/
Initially fixed in 1.4.6-1, but then reverted to 1.4.2 due to bullseye freeze

Search for package or bug name: Reporting problems