CVE-2020-15693

In Nim 1.2.4, the standard library httpClient is vulnerable to a CR-LF injection in the target URL. An injection is possible if the attacker controls any part of the URL provided in a call (such as httpClient.get or httpClient.post), the User-Agent header value, or custom HTTP header names or values.
Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.5 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 72%
VendorProductVersion
nim-langnim
𝑥
≤ 1.2.6
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
nim
bullseye
1.4.6+really1.4.2-2
fixed
buster
no-dsa
stretch
no-dsa
bookworm
1.6.10-2
fixed
sid
1.6.14-3
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
nim
noble
Fixed 1.2.6-1
released
mantic
Fixed 1.2.6-1
released
lunar
Fixed 1.2.6-1
released
impish
Fixed 1.2.6-1
released
hirsute
Fixed 1.2.6-1
released
groovy
Fixed 1.2.6-1
released
focal
needs-triage
bionic
needs-triage
xenial
needs-triage
trusty
dne
Common Weakness Enumeration
References
http://www.openwall.com/lists/oss-security/2021/02/04/2
https://consensys.net/diligence/vulnerabilities/nim-httpclient-header-crlf-injection/
https://github.com/nim-lang/Nim/blob/dc5a40f3f39c6ea672e6dc6aca7f8118a69dda99/lib/pure/httpclient.nim#L1023
https://nim-lang.org/blog/2020/07/30/versions-126-and-108-released.html
http://www.openwall.com/lists/oss-security/2021/02/04/2
https://consensys.net/diligence/vulnerabilities/nim-httpclient-header-crlf-injection/
https://github.com/nim-lang/Nim/blob/dc5a40f3f39c6ea672e6dc6aca7f8118a69dda99/lib/pure/httpclient.nim#L1023
https://nim-lang.org/blog/2020/07/30/versions-126-and-108-released.html