Source: nim
X-Debbugs-CC: t...@security.debian.org
Severity: normal
Tags: security
Hi,
The following vulnerability was published for nim.
CVE-2021-41259[0]:
| Nim is a systems programming language with a focus on efficiency,
| expressiveness, and elegance. In affected versions the uri.parseUri
| function which may be used to validate URIs accepts null bytes in the
| input URI. This behavior could be used to bypass URI validation. For
| example: parseUri("http://localhost\0hello";).hostname is set to
| "localhost\0hello". Additionally, httpclient.getContent accepts null
| bytes in the input URL and ignores any data after the first null byte.
| Example: getContent("http://localhost\0hello";) makes a request to
| localhost:80. An attacker can use a null bytes to bypass the check and
| mount a SSRF attack.
https://github.com/nim-lang/security/security/advisories/GHSA-3gg2-rw3q-qwgc
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-41259
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41259
Please adjust the affected versions in the BTS as needed.
