{"id":"CVE-2021-21373","details":"Nimble is a package manager for the Nim programming language. In Nim release versions before versions 1.2.10 and 1.4.4, \"nimble refresh\" fetches a list of Nimble packages over HTTPS by default. In case of error it falls back to a non-TLS URL http://irclogs.nim-lang.org/packages.json. An attacker able to perform MitM can deliver a modified package list containing malicious software packages. If the packages are installed and used the attack escalates to untrusted code execution.","modified":"2026-04-10T04:29:37.504220Z","published":"2021-03-26T22:15:12.773Z","related":["GHSA-8w52-r35x-rgp8","openSUSE-SU-2021:0618-1","openSUSE-SU-2021:0628-1","openSUSE-SU-2022:10095-1","openSUSE-SU-2022:10101-1","openSUSE-SU-2024:11093-1"],"references":[{"type":"ADVISORY","url":"https://github.com/nim-lang/nimble/blob/master/changelog.markdown#0130"},{"type":"ADVISORY","url":"https://github.com/nim-lang/security/security/advisories/GHSA-8w52-r35x-rgp8"},{"type":"EVIDENCE","url":"https://consensys.net/diligence/vulnerabilities/nim-insecure-ssl-tls-defaults-remote-code-execution/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/nim-lang/nim","events":[{"introduced":"0"},{"fixed":"ebc114c5266582dcaf5e323e0ec3d2b2a9f17063"},{"introduced":"018ae963ba83934a68d815c3c1c44c06e8ec6178"},{"fixed":"2ff517462bf8609b30e6134c96658aa7912b628a"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.2.10"},{"introduced":"1.4.0"},{"fixed":"1.4.4"}]}}],"versions":["v0.10.2","v0.11.0","v0.11.2","v0.12.0","v0.13.0","v0.14.0","v0.14.2","v0.15.0","v0.15.2","v0.16.0","v0.17.0","v0.17.2","v0.18.0","v0.19.0","v0.20.0","v0.8.14","v0.9.0","v0.9.2","v0.9.4","v1.0.0","v1.2.0","v1.2.2","v1.2.4","v1.2.6","v1.2.8","v1.4.0","v1.4.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-21373.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}