UBUNTU-CVE-2021-21373

Nimble is a package manager for the Nim programming language. In Nim release versions before versions 1.2.10 and 1.4.4, "nimble refresh" fetches a list of Nimble packages over HTTPS by default. In case of error it falls back to a non-TLS URL http://irclogs.nim-lang.org/packages.json. An attacker...

CVE-2021-21373

Nimble is a package manager for the Nim programming language. In Nim release versions before versions 1.2.10 and 1.4.4, "nimble refresh" fetches a list of Nimble packages over HTTPS by default. In case of error it falls back to a non-TLS URL http://irclogs.nim-lang.org/packages.json. An attacker...

CVE-2021-21373 Nimble falls back to insecure http url when fetching packages

Nimble is a package manager for the Nim programming language. In Nim release versions before versions 1.2.10 and 1.4.4, "nimble refresh" fetches a list of Nimble packages over HTTPS by default. In case of error it falls back to a non-TLS URL http://irclogs.nim-lang.org/packages.json. An attacker...

CVE-2021-21373

CVE-2021-21373 affects Nimble, the Nim package manager. The issue arises when nimble refresh fetches the package list over HTTPS but falls back to an insecure HTTP URL on error, enabling a MitM to deliver a malicious package list. If affected packages are installed, this can lead to untrusted cod...

CVE-2021-21374

CVE-2021-21374 affects Nimble (Nim package manager) where Nimble refresh may fetch the package list over HTTPS without full SSL/TLS verification due to httpClient defaults, enabling a MitM to deliver a modified package list and installable packages. If such packages are installed, this can lead t...

CVE-2021-21374 Nimble fails to validate certificates due to insecure httpClient defaults

Nimble is a package manager for the Nim programming language. In Nim release versions before versions 1.2.10 and 1.4.4, "nimble refresh" fetches a list of Nimble packages over HTTPS without full verification of the SSL/TLS certificate due to the default setting of httpClient. An attacker able to...

Debian: Security Advisory (DLA-2608-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2021 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Nimble 信任管理问题漏洞

Nimble is an open source package manager for the Nim programming language. A trust management issue vulnerability exists in Nimble versions 1.2.10 and 1.4.4, which can be exploited by an attacker to deliver a modified list of packages containing malware packages, leading to untrusted code executi...

Nimble 信任管理问题漏洞

Nimble is an open source package manager for the Nim programming language. Nimble before versions 1.2.10 and 1.4.4 suffers from a trust management issue vulnerability that can be exploited by an attacker to deliver a modified list of packages containing malware packages. If the package is install...

RHEL 7 : ipa (RHSA-2021:0860)

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2021:0860 advisory. Red Hat Identity Management IdM is a centralized authentication, identity management, and authorization solution for both traditional and cloud-based...

GHSA-8278-88VV-X98R Execution of untrusted code through config file

Impact It is possible to run arbitrary commands through the yaml.load method. This could allow an attacker with local access to the host to run arbitrary code by running the application with a specially crafted YAML configuration file. Workarounds Manually adjust yaml.load to yaml.safeload For mo...

CVE-2021-21371 Execution of untrusted code through config file

Tenable for Jira Cloud is an open source project designed to pull Tenable.io vulnerability data, then generate Jira Tasks and sub-tasks based on the vulnerabilities' current state. It published in pypi as "tenable-jira-cloud". In tenable-jira-cloud before version 1.1.21, it is possible to run...

Siemens LOGO! 8 BM

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories CERT Services | Services |...

Unauthorised Modification

pgpverify-maven-plugin allows unauthorized modification. An attacker is able to push base repository or access secrets by checking out and running build script from a fork the untrusted code is running in an environment...

Arbitrary Code Execution

github.com/aeraki-framework/aeraki is vulnerable to arbitrary code execution. Workflows triggered on pullrequesttarget have read/write tokens for the base repository and the access to secrets. By explicitly checking out and running the build script from a fork, the untrusted code is running in an...

Vulnerability fixed in Oracle Java SE

Oracle has fixed vulnerabilities in the following Oracle Java products: Java SE JDK and JRE The vulnerabilities allow an unauthenticated malicious person with network access to the vulnerable system may be able to system data. Only applications that execute untrusted code e.g., using third-party...

RHEL 8 : python-XStatic-jQuery224 (RHSA-2020:5412)

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2020:5412 advisory. python-XStatic-jQuery is the jQuery javascript library packaged for Python's setuptools Security Fixes: Passing HTML containing elements to...

Google Asylo Buffer Error Vulnerability

Google Asylo is a framework for developing trusted applications from Google Inc. in the United States. The software supports the creation of a trusted execution environment, including software isolation and hardware isolation. A buffer error vulnerability exists in Google Asylo version 0.6.0 and...

Google Go Cmd/go Code Execution Vulnerability

Google Go Cmd/go is a codebase that provides command support for the Go language from the U.S. company Google Google. A code execution vulnerability exists in versions prior to go 1.15.5,1 that stems from the fact that when using cgo, the go command may execute arbitrary code at build time. This...

jquery: Untrusted code execution via <option> tag in HTML passed to DOM manipulation methods

A flaw was found in jQuery. HTML containing \ elements from untrusted sources are passed, even after sanitizing, to one of jQuery's DOM manipulation methods, which may execute untrusted code. The highest threat from this vulnerability is to data confidentiality and integrity...