CR-LF Injection Vulnerability in Nim's HttpClient Library
CVE-2020-15693

6.5MEDIUM

Key Information:

Vendor
Nim-lang
Status
Nim
Vendor
CVE Published:
14 August 2020

Summary

The Nim programming language's standard library includes the HttpClient, which is susceptible to CR-LF injection attacks. This vulnerability occurs when an attacker can manipulate any part of the URL in functions like httpClient.get or httpClient.post, or when they control the User-Agent header or other custom HTTP headers. Exploiting this vulnerability can lead to security breaches, as it may allow the injection of unintended content into HTTP responses, thereby impacting the integrity and confidentiality of the application's communication.

References

https://github.com/nim-lang/Nim/blob/dc5a40f3f39c6ea672e6...
x_refsource_MISC
https://nim-lang.org/blog/2020/07/30/versions-126-and-108...
x_refsource_CONFIRM
http://www.openwall.com/lists/oss-security/2021/02/04/2
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.