CVE-2021-21373

Name of the Vulnerable Software and Affected Versions Nim versions prior to 1.2.10 Nim versions prior to 1.4.4

Description The issue affects the Nimble package manager for the Nim programming language. When "nimble refresh" is used, it fetches a list of Nimble packages over HTTPS by default, but falls back to a non-TLS URL http://irclogs.nim-lang.org/packages.json in case of an error. An attacker able to perform a Man-in-the-Middle (MitM) attack can deliver a modified package list containing malicious software packages. If these packages are installed and used, the attack can escalate to untrusted code execution.

Recommendations For versions prior to 1.2.10, update to version 1.2.10 or later to resolve the issue. For versions prior to 1.4.4, update to version 1.4.4 or later to resolve the issue. As a temporary workaround, consider disabling the use of the http://irclogs.nim-lang.org/packages.json URL until a patch is available. Restrict access to the "nimble refresh" command to minimize the risk of exploitation. Avoid using the non-TLS URL in the "nimble refresh" command until the issue is resolved.