Upstream information
Description
Nim is a systems programming language with a focus on efficiency, expressiveness, and elegance. In affected versions the uri.parseUri function which may be used to validate URIs accepts null bytes in the input URI. This behavior could be used to bypass URI validation. For example: parseUri("http://localhost\0hello").hostname is set to "localhost\0hello". Additionally, httpclient.getContent accepts null bytes in the input URL and ignores any data after the first null byte. Example: getContent("http://localhost\0hello") makes a request to localhost:80. An attacker can use a null bytes to bypass the check and mount a SSRF attack.SUSE information
Overall state of this security issue: Resolved
This issue is currently rated as having important severity.
National Vulnerability Database | |
---|---|
Base Score | 8.6 |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N |
Attack Vector | Network |
Attack Complexity | Low |
Privileges Required | None |
User Interaction | None |
Scope | Changed |
Confidentiality Impact | High |
Integrity Impact | None |
Availability Impact | None |
CVSSv3 Version | 3.1 |
SUSE Security Advisories:
- openSUSE-SU-2021:1585-1, published Thu Dec 16 21:44:34 2021
- openSUSE-SU-2021:1592-1, published Sat Dec 18 15:49:41 2021
- openSUSE-SU-2022:10095-1, published Wed Aug 24 10:48:30 2022
- openSUSE-SU-2022:10101-1, published Sat Aug 27 18:50:23 2022
List of released packages
Product(s) | Fixed package version(s) | References |
---|---|---|
SUSE Package Hub 15 SP2 |
| Patchnames: openSUSE-2021-1592 |
SUSE Package Hub 15 SP3 |
| Patchnames: openSUSE-2022-10095 |
SUSE Package Hub 15 SP4 |
| Patchnames: openSUSE-2022-10101 |
openSUSE Leap 15.2 |
| Patchnames: openSUSE-2021-1585 |
openSUSE Leap 15.3 |
| Patchnames: openSUSE-2022-10095 |
openSUSE Leap 15.4 |
| Patchnames: openSUSE-2022-10101 |
openSUSE Tumbleweed |
| Patchnames: openSUSE Tumbleweed GA nim-1.6.6-3.1 |
SUSE Timeline for this CVE
CVE page created: Fri Nov 12 23:00:09 2021CVE page last modified: Wed Oct 26 23:26:39 2022