AVG-1842 log

Package nimble
Status Fixed
Severity High
Type multiple issues
Affected 1:0.12.0-1
Fixed 1:0.13.1-1
Current Removed
Ticket None
Created Tue Apr 20 19:26:09 2021
Issue Severity Remote Type Description
CVE-2021-21374 High Yes Man-in-the-middle
In Nimble before version 0.13.0, "nimble refresh" fetches a list of Nimble packages over HTTPS without full verification of the SSL/TLS certificate due to...
CVE-2021-21373 High Yes Man-in-the-middle
In Nimble before version 0.13.0, "nimble refresh" fetches a list of Nimble packages over HTTPS by default. In case of error it falls back to a non-TLS URL...
CVE-2021-21372 High Yes Arbitrary command execution
In Nimble before version 0.13.0, doCmd can be leveraged to execute arbitrary commands. An attacker can craft a malicious entry in the packages.json package...
Date Advisory Package Type
29 Apr 2021 ASA-202104-6 nimble multiple issues