CVE-2021-21372

Nimble is a package manager for the Nim programming language. In Nim release version before versions 1.2.10 and 1.4.4, Nimble doCmd is used in different places and can be leveraged to execute arbitrary commands. An attacker can craft a malicious entry in the packages.json package list to trigger code execution.

References

Affected packages

Git / github.com/nim-lang/nim

Affected ranges

Type

GIT

Repo

https://github.com/nim-lang/nim

Events

Introduced

Fixed

ebc114c5266582dcaf5e323e0ec3d2b2a9f17063

Introduced

018ae963ba83934a68d815c3c1c44c06e8ec6178

Fixed

2ff517462bf8609b30e6134c96658aa7912b628a

Database specific

{
    "cpe": "cpe:2.3:a:nim-lang:nim:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.2.10"
        },
        {
            "introduced": "1.4.0"
        },
        {
            "fixed": "1.4.4"
        }
    ],
    "source": "CPE_RANGE"
}

Affected versions

v0.*

v0.10.2

v0.11.0

v0.11.2

v0.12.0

v0.13.0

v0.14.0

v0.14.2

v0.15.0

v0.15.2

v0.16.0

v0.17.0

v0.17.2

v0.18.0

v0.19.0

v0.20.0

v0.8.14

v0.9.0

v0.9.2

v0.9.4

v1.*

v1.0.0

v1.2.0

v1.2.2

v1.2.4

v1.2.6

v1.2.8

v1.4.0

v1.4.2

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-21372.json"

Git / github.com/nim-lang/nimble

Affected ranges

Type

GIT

Repo

https://github.com/nim-lang/nimble

Events

Introduced

Fixed

7bd63d504a4157b8ed61a51af47fb086ee818c37

Database specific

{
    "source": "REFERENCES"
}

Affected versions

v0.*

v0.10.0

v0.10.2

v0.11.0

v0.11.2

v0.11.4

v0.12.0

v0.2

v0.4

v0.6

v0.6.2

v0.6.4

v0.7.0

v0.7.10

v0.7.2

v0.7.4

v0.7.6

v0.7.8

v0.8.0

v0.8.10

v0.8.2

v0.8.4

v0.8.6

v0.8.8

v0.9.0

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-21372.json"