CVE-2021-21372
- Source
- https://cve.org/CVERecord?id=CVE-2021-21372
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-21372.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2021-21372
- Downstream
- Related
- Published
- 2021-03-26T22:15:12.697Z
- Modified
- 2026-03-20T11:38:31.104849Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
Nimble is a package manager for the Nim programming language. In Nim release version before versions 1.2.10 and 1.4.4, Nimble doCmd is used in different places and can be leveraged to execute arbitrary commands. An attacker can craft a malicious entry in the packages.json package list to trigger code execution.
- References
-
- https://github.com/nim-lang/security/security/advisories/GHSA-rg9f-w24h-962p
- https://github.com/nim-lang/nimble/blob/master/changelog.markdown#0130
- https://github.com/nim-lang/nimble/commit/7bd63d504a4157b8ed61a51af47fb086ee818c37
- https://consensys.net/diligence/vulnerabilities/nim-insecure-ssl-tls-defaults-remote-code-execution/
Affected packages
Git / github.com/nim-lang/nim
Affected ranges
- Type
- GIT
- Repo
- https://github.com/nim-lang/nim
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedIntroducedFixed
- Database specific
{ "versions": [ { "introduced": "0" }, { "fixed": "1.2.10" }, { "introduced": "1.4.0" }, { "fixed": "1.4.4" } ] }
- Type
- GIT
- Repo
- https://github.com/nim-lang/nimble
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed