CVE-2021-21372
HIGHNim < 1.2.10 - Remote Code Execution via Nimble doCmd Command Injection
Title source: llmDescription
Nimble is a package manager for the Nim programming language. In Nim release version before versions 1.2.10 and 1.4.4, Nimble doCmd is used in different places and can be leveraged to execute arbitrary commands. An attacker can craft a malicious entry in the packages.json package list to trigger code execution.
References (4)
Core 4
Core References
Exploit, Third Party Advisory x_refsource_misc
https://consensys.net/diligence/vulnerabilities/nim-insecure-ssl-tls-defaults-remote-code-execution/
Third Party Advisory x_refsource_confirm
https://github.com/nim-lang/security/security/advisories/GHSA-rg9f-w24h-962p
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/nim-lang/nimble/blob/master/changelog.markdown#0130
Patch, Third Party Advisory x_refsource_misc
https://github.com/nim-lang/nimble/commit/7bd63d504a4157b8ed61a51af47fb086ee818c37
Scores
CVSS v3
8.3
EPSS
0.0364
EPSS Percentile
88.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Details
CWE
CWE-20
CWE-74
CWE-78
Status
published
Products (1)
nim-lang/nim
< 1.2.10
Published
Mar 26, 2021
Tracked Since
Feb 18, 2026