ID CVE-2021-41259
Summary Nim is a systems programming language with a focus on efficiency, expressiveness, and elegance. In affected versions the uri.parseUri function which may be used to validate URIs accepts null bytes in the input URI. This behavior could be used to bypass URI validation. For example: parseUri("http://localhost\0hello").hostname is set to "localhost\0hello". Additionally, httpclient.getContent accepts null bytes in the input URL and ignores any data after the first null byte. Example: getContent("http://localhost\0hello") makes a request to localhost:80. An attacker can use a null bytes to bypass the check and mount a SSRF attack.
References
Vulnerable Configurations
  • cpe:2.3:a:nim-lang:nim:1.2.12:*:*:*:*:*:*:*
    cpe:2.3:a:nim-lang:nim:1.2.12:*:*:*:*:*:*:*
  • cpe:2.3:a:nim-lang:nim:1.4.4:*:*:*:*:*:*:*
    cpe:2.3:a:nim-lang:nim:1.4.4:*:*:*:*:*:*:*
  • cpe:2.3:a:nim-lang:nim:1.4.6:*:*:*:*:*:*:*
    cpe:2.3:a:nim-lang:nim:1.4.6:*:*:*:*:*:*:*
  • cpe:2.3:a:nim-lang:nim:1.4.8:*:*:*:*:*:*:*
    cpe:2.3:a:nim-lang:nim:1.4.8:*:*:*:*:*:*:*
  • cpe:2.3:a:nim-lang:nim:1.6.0:*:*:*:*:*:*:*
    cpe:2.3:a:nim-lang:nim:1.6.0:*:*:*:*:*:*:*
CVSS
Base: 7.5 (as of 17-11-2021 - 15:45)
Impact:
Exploitability:
CWE CWE-918
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:P/A:P
Last major update 17-11-2021 - 15:45
Published 12-11-2021 - 18:15
Last modified 17-11-2021 - 15:45
Back to Top