CVE-2021-21372

Description

Nimble is a package manager for the Nim programming language. In Nim release version before versions 1.2.10 and 1.4.4, Nimble doCmd is used in different places and can be leveraged to execute arbitrary commands. An attacker can craft a malicious entry in the packages.json package list to trigger code execution.

How to fix CVE-2021-21372

To remediate CVE-2021-21372, upgrade the affected package to a fixed version below.

Debian/nim—upgrade to 1.4.6+really1.4.2-1 or later

Is CVE-2021-21372 being exploited?

Low — EPSS is 1.8%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.4.6+really1.4.2-1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References (1)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2021-21372