Lucene search

K
cvelistGitHub_MCVELIST:CVE-2021-21374
HistoryMar 26, 2021 - 9:25 p.m.

CVE-2021-21374 Nimble fails to validate certificates due to insecure httpClient defaults

2021-03-2621:25:14
CWE-599
CWE-349
CWE-348
GitHub_M
www.cve.org

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:L

8.7 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

53.3%

Nimble is a package manager for the Nim programming language. In Nim release versions before versions 1.2.10 and 1.4.4, “nimble refresh” fetches a list of Nimble packages over HTTPS without full verification of the SSL/TLS certificate due to the default setting of httpClient. An attacker able to perform MitM can deliver a modified package list containing malicious software packages. If the packages are installed and used the attack escalates to untrusted code execution.

CNA Affected

[
  {
    "product": "security",
    "vendor": "nim-lang",
    "versions": [
      {
        "status": "affected",
        "version": "< 1.2.10"
      },
      {
        "status": "affected",
        "version": ">= 1.4.0, < 1.4.4"
      }
    ]
  }
]

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:L

8.7 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

53.3%