Vulnerability Details : CVE-2021-21372
Potential exploit
Nimble is a package manager for the Nim programming language. In Nim release version before versions 1.2.10 and 1.4.4, Nimble doCmd is used in different places and can be leveraged to execute arbitrary commands. An attacker can craft a malicious entry in the packages.json package list to trigger code execution.
Vulnerability category: Input validation
Products affected by CVE-2021-21372
- cpe:2.3:a:nim-lang:nim:*:*:*:*:*:*:*:*
- cpe:2.3:a:nim-lang:nim:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-21372
0.33%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 71 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-21372
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST | |
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST | |
8.3
|
HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H |
1.6
|
6.0
|
GitHub, Inc. |
CWE ids for CVE-2021-21372
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: security-advisories@github.com (Secondary)
-
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.Assigned by: security-advisories@github.com (Secondary)
-
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.Assigned by: nvd@nist.gov (Primary)
References for CVE-2021-21372
-
https://github.com/nim-lang/nimble/blob/master/changelog.markdown#0130
nimble/changelog.markdown at master · nim-lang/nimble · GitHubRelease Notes;Third Party Advisory
-
https://github.com/nim-lang/security/security/advisories/GHSA-rg9f-w24h-962p
Nimble arbitrary code execution for specially crafted package metadata · Advisory · nim-lang/security · GitHubThird Party Advisory
-
https://consensys.net/diligence/vulnerabilities/nim-insecure-ssl-tls-defaults-remote-code-execution/
Nim - Insecure SSL/TLS Defaults, MitM, and nimble shell command injection | ConsenSys DiligenceExploit;Third Party Advisory
-
https://github.com/nim-lang/nimble/commit/7bd63d504a4157b8ed61a51af47fb086ee818c37
Merge pull request #894 from nim-lang/fixes-rce · nim-lang/nimble@7bd63d5 · GitHubPatch;Third Party Advisory
Jump to