CVE-2020-15693

EUVD-2020-7680
In Nim 1.2.4, the standard library httpClient is vulnerable to a CR-LF injection in the target URL. An injection is possible if the attacker controls any part of the URL provided in a call (such as httpClient.get or httpClient.post), the User-Agent header value, or custom HTTP header names or values.
Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.5 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 77%
Affected Products (NVD)
VendorProductVersion
nim-langnim
𝑥
≤ 1.2.6
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
nim
bookworm
1.6.10-2
fixed
bullseye
1.4.6+really1.4.2-2
fixed
buster
no-dsa
sid
1.6.14-3
fixed
stretch
no-dsa
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
nim
bionic
needs-triage
focal
needs-triage
groovy
Fixed 1.2.6-1
released
hirsute
Fixed 1.2.6-1
released
impish
Fixed 1.2.6-1
released
lunar
Fixed 1.2.6-1
released
mantic
Fixed 1.2.6-1
released
noble
Fixed 1.2.6-1
released
trusty
dne
xenial
needs-triage
Common Weakness Enumeration
References
http://www.openwall.com/lists/oss-security/2021/02/04/2
https://consensys.net/diligence/vulnerabilities/nim-httpclient-header-crlf-injection/
https://github.com/nim-lang/Nim/blob/dc5a40f3f39c6ea672e6dc6aca7f8118a69dda99/lib/pure/httpclient.nim#L1023
https://nim-lang.org/blog/2020/07/30/versions-126-and-108-released.html
http://www.openwall.com/lists/oss-security/2021/02/04/2
https://consensys.net/diligence/vulnerabilities/nim-httpclient-header-crlf-injection/
https://github.com/nim-lang/Nim/blob/dc5a40f3f39c6ea672e6dc6aca7f8118a69dda99/lib/pure/httpclient.nim#L1023
https://nim-lang.org/blog/2020/07/30/versions-126-and-108-released.html