Nimble is a package manager for the Nim programming language. In Nim release versions before versions 1.2.10 and 1.4.4, nimble refresh fetches a list of Nimble packages over HTTPS without full verification of the SSL/TLS certificate due to the default setting of httpClient. An attacker able to perform MitM can deliver a modified package list containing malicious software packages. If the packages are installed and used the attack escalates to untrusted code execution.
The product does not validate, or incorrectly validates, a certificate.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Nim | Nim-lang | * | 1.2.10 (excluding) |
Nim | Nim-lang | 1.4.0 (including) | 1.4.4 (excluding) |
Nim | Ubuntu | bionic | * |
Nim | Ubuntu | groovy | * |
Nim | Ubuntu | hirsute | * |
Nim | Ubuntu | impish | * |
Nim | Ubuntu | lunar | * |
Nim | Ubuntu | mantic | * |
Nim | Ubuntu | trusty | * |
Nim | Ubuntu | xenial | * |