AVG-1842 log
| Package | nimble |
| Status | Fixed |
| Severity | High |
| Type | multiple issues |
| Affected | 1:0.12.0-1 |
| Fixed | 1:0.13.1-1 |
| Current | Removed |
| Ticket | None |
| Created | Tue Apr 20 19:26:09 2021 |
| Issue | Severity | Remote | Type | Description |
|---|---|---|---|---|
| CVE-2021-21374 | High | Yes | Man-in-the-middle | In Nimble before version 0.13.0, "nimble refresh" fetches a list of Nimble packages over HTTPS without full verification of the SSL/TLS certificate due to... |
| CVE-2021-21373 | High | Yes | Man-in-the-middle | In Nimble before version 0.13.0, "nimble refresh" fetches a list of Nimble packages over HTTPS by default. In case of error it falls back to a non-TLS URL... |
| CVE-2021-21372 | High | Yes | Arbitrary command execution | In Nimble before version 0.13.0, doCmd can be leveraged to execute arbitrary commands. An attacker can craft a malicious entry in the packages.json package... |
| Date | Advisory | Package | Type |
|---|---|---|---|
| 29 Apr 2021 | ASA-202104-6 | nimble | multiple issues |