CVE-2021-21373 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2021-21373 Interim 1 16 2023-09-06T23:49:18Z current 2021-05-30T14:48:12Z 2023-09-06T23:49:18Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2021-21373 Nimble is a package manager for the Nim programming language. In Nim release versions before versions 1.2.10 and 1.4.4, "nimble refresh" fetches a list of Nimble packages over HTTPS by default. In case of error it falls back to a non-TLS URL http://irclogs.nim-lang.org/packages.json. An attacker able to perform MitM can deliver a modified package list containing malicious software packages. If the packages are installed and used the attack escalates to untrusted code execution. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NV5NCUH7W5BZXNXEYHHUQGISDZUK64IU/ E-Mail link for openSUSE-SU-2021:0618-1 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/3KP4YJ5PY3MI63TQDVZA6BQHCQPAXBGB/ E-Mail link for openSUSE-SU-2021:0628-1 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/HM5F2H5AWO4WRQSTOWMODGKMXAHHBVRH/ E-Mail link for openSUSE-SU-2022:10095-1 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SNDISR45BBTIWW5MDTIQOSRHOEV3XUKF/ E-Mail link for openSUSE-SU-2022:10101-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Package Hub 15 SP2 SUSE Package Hub 15 SP3 SUSE Package Hub 15 SP4 openSUSE Leap 15.2 openSUSE Leap 15.3 openSUSE Leap 15.4 openSUSE Tumbleweed nim-1.2.12-1.7 nim-1.2.12-bp152.4.3.1 nim-1.2.12-lp152.2.3.1 nim-1.6.6-bp153.2.3.1 nim-1.6.6-bp154.2.3.1 nim-1.2.12-bp152.4.3.1 as a component of SUSE Package Hub 15 SP2 nim-1.6.6-bp153.2.3.1 as a component of SUSE Package Hub 15 SP3 nim-1.6.6-bp154.2.3.1 as a component of SUSE Package Hub 15 SP4 nim-1.2.12-lp152.2.3.1 as a component of openSUSE Leap 15.2 nim-1.6.6-bp153.2.3.1 as a component of openSUSE Leap 15.3 nim-1.6.6-bp154.2.3.1 as a component of openSUSE Leap 15.4 nim-1.2.12-1.7 as a component of openSUSE Tumbleweed Nimble is a package manager for the Nim programming language. In Nim release versions before versions 1.2.10 and 1.4.4, "nimble refresh" fetches a list of Nimble packages over HTTPS by default. In case of error it falls back to a non-TLS URL http://irclogs.nim-lang.org/packages.json. An attacker able to perform MitM can deliver a modified package list containing malicious software packages. If the packages are installed and used the attack escalates to untrusted code execution. CVE-2021-21373 SUSE Package Hub 15 SP2:nim-1.2.12-bp152.4.3.1 SUSE Package Hub 15 SP3:nim-1.6.6-bp153.2.3.1 SUSE Package Hub 15 SP4:nim-1.6.6-bp154.2.3.1 openSUSE Leap 15.2:nim-1.2.12-lp152.2.3.1 openSUSE Leap 15.3:nim-1.6.6-bp153.2.3.1 openSUSE Leap 15.4:nim-1.6.6-bp154.2.3.1 openSUSE Tumbleweed:nim-1.2.12-1.7 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N