Nimble is a package manager for the Nim programming language. In Nim release versions before versions 1.2.10 and 1.4.4, "nimble refresh"…
GitHub_M·CWE-348·Published 2021-03-26
Nimble is a package manager for the Nim programming language. In Nim release versions before versions 1.2.10 and 1.4.4, "nimble refresh" fetches a list of Nimble packages over HTTPS without full verification of the SSL/TLS certificate due to the default setting of httpClient. An attacker able to perform MitM can deliver a modified package list containing malicious software packages. If the packages are installed and used the attack escalates to untrusted code execution.
Nimble is a package manager for the Nim programming language. In Nim release versions before versions 1.2.10 and 1.4.4, "nimble refresh" fetches a list of Nimble packages over HTTPS without full verification of the SSL/TLS certificate due to the default setting of httpClient. An attacker able to perform MitM can deliver a modified package list containing malicious software packages. If the packages are installed and used the attack escalates to untrusted code execution.
Nimble es un administrador de paquetes para el lenguaje de programación Nim. En las versiones de lanzamiento de Nim anteriores a 1.2.10 y 1.4.4, "nimble refresh" extrae una lista de paquetes de Nimble por medio de HTTPS sin una comprobación completa del certificado SSL/TLS debido a la configuración predeterminada de httpClient. Un atacante capaz de ejecutar un MitM puede entregar una lista de paquetes modificada que contenga paquetes de software malicioso. Si los paquetes son instalados y usados, el ataque se convierte en una ejecución de código que no es confiable.
| Version | Type | Source | Base | Exp | Impact | Vector |
|---|---|---|---|---|---|---|
| 2.0 | Primary | NVD | 6.8 | 8.6 | 6.4 | AV:N/AC:M/Au:N/C:P/I:P/A:P |
| 3.1 | Primary | cve.org | 8.1 | — | — | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:L |
| 3.1 | Primary | cve.org | 8.1 | — | — | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:L |
| 3.1 | Primary | NVD | 8.1 | 2.2 | 5.9 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | Secondary | NVD | 8.1 | 2.2 | 5.3 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:L |