CVE-2021-21372

NameCVE-2021-21372
DescriptionNimble is a package manager for the Nim programming language. In Nim release version before versions 1.2.10 and 1.4.4, Nimble doCmd is used in different places and can be leveraged to execute arbitrary commands. An attacker can craft a malicious entry in the packages.json package list to trigger code execution.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs987272

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
nim (PTS)buster0.19.4-1vulnerable
bullseye1.4.6+really1.4.2-2fixed
bookworm1.6.10-2fixed
sid, trixie1.6.14-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
nimsource(unstable)1.4.6+really1.4.2-1987272

Notes

[buster] - nim <no-dsa> (Minor issue)
[stretch] - nim <postponed> (Minor issue; can be fixed in next update)
https://consensys.net/diligence/vulnerabilities/nim-insecure-ssl-tls-defaults-remote-code-execution/
Initially fixed in 1.4.6-1, but then reverted to 1.4.2 due to bullseye freeze

Search for package or bug name: Reporting problems