CVE-2021-21372 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2021-21372 Interim 1 18 2025-02-17T00:52:18Z current 2021-05-30T14:48:12Z 2025-02-17T00:52:18Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2021-21372 Nimble is a package manager for the Nim programming language. In Nim release version before versions 1.2.10 and 1.4.4, Nimble doCmd is used in different places and can be leveraged to execute arbitrary commands. An attacker can craft a malicious entry in the packages.json package list to trigger code execution. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NV5NCUH7W5BZXNXEYHHUQGISDZUK64IU/ E-Mail link for openSUSE-SU-2021:0618-1 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/3KP4YJ5PY3MI63TQDVZA6BQHCQPAXBGB/ E-Mail link for openSUSE-SU-2021:0628-1 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/HM5F2H5AWO4WRQSTOWMODGKMXAHHBVRH/ E-Mail link for openSUSE-SU-2022:10095-1 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SNDISR45BBTIWW5MDTIQOSRHOEV3XUKF/ E-Mail link for openSUSE-SU-2022:10101-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Package Hub 15 SP2 SUSE Package Hub 15 SP3 SUSE Package Hub 15 SP4 openSUSE Leap 15.2 openSUSE Leap 15.3 openSUSE Leap 15.4 openSUSE Tumbleweed nim-1.2.12-1.7 nim-1.2.12-bp152.4.3.1 nim-1.2.12-lp152.2.3.1 nim-1.6.6-bp153.2.3.1 nim-1.6.6-bp154.2.3.1 nim-1.2.12-bp152.4.3.1 as a component of SUSE Package Hub 15 SP2 nim-1.6.6-bp153.2.3.1 as a component of SUSE Package Hub 15 SP3 nim-1.6.6-bp154.2.3.1 as a component of SUSE Package Hub 15 SP4 nim-1.2.12-lp152.2.3.1 as a component of openSUSE Leap 15.2 nim-1.6.6-bp153.2.3.1 as a component of openSUSE Leap 15.3 nim-1.6.6-bp154.2.3.1 as a component of openSUSE Leap 15.4 nim-1.2.12-1.7 as a component of openSUSE Tumbleweed Nimble is a package manager for the Nim programming language. In Nim release version before versions 1.2.10 and 1.4.4, Nimble doCmd is used in different places and can be leveraged to execute arbitrary commands. An attacker can craft a malicious entry in the packages.json package list to trigger code execution. CVE-2021-21372 SUSE Package Hub 15 SP2:nim-1.2.12-bp152.4.3.1 SUSE Package Hub 15 SP3:nim-1.6.6-bp153.2.3.1 SUSE Package Hub 15 SP4:nim-1.6.6-bp154.2.3.1 openSUSE Leap 15.2:nim-1.2.12-lp152.2.3.1 openSUSE Leap 15.3:nim-1.6.6-bp153.2.3.1 openSUSE Leap 15.4:nim-1.6.6-bp154.2.3.1 openSUSE Tumbleweed:nim-1.2.12-1.7 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H