| Vulnerability Name: | CVE-2020-15692 (CCN-186875) | ||||||||||||
| Assigned: | 2020-07-30 | ||||||||||||
| Published: | 2020-07-30 | ||||||||||||
| Updated: | 2021-02-08 | ||||||||||||
| Summary: | In Nim 1.2.4, the standard library browsers mishandles the URL argument to browsers.openDefaultBrowser. This argument can be a local file path that will be opened in the default explorer. An attacker can pass one argument to the underlying open command to execute arbitrary registered system commands. | ||||||||||||
| CVSS v3 Severity: | 9.8 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 8.5 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
8.5 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
| ||||||||||||
| CVSS v2 Severity: | 10.0 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C)
| ||||||||||||
| Vulnerability Type: | CWE-88 | ||||||||||||
| Vulnerability Consequences: | Gain Access | ||||||||||||
| References: | Source: MITRE Type: CNA CVE-2020-15692 Source: MLIST Type: Exploit, Mailing List, Third Party Advisory [oss-security] 20210204 [CVE-2020-15692] Nim - stdlib Browsers - `open` Argument Injection Source: MISC Type: Exploit, Third Party Advisory https://consensys.net/diligence/vulnerabilities/nim-browsers-argument-injection/ Source: XF Type: UNKNOWN nim-cve202015692-command-exec(186875) Source: MISC Type: Patch, Third Party Advisory https://github.com/nim-lang/Nim/blob/dc5a40f3f39c6ea672e6dc6aca7f8118a69dda99/lib/pure/browsers.nim#L48 Source: CCN Type: Nim Web site Nim Source: CCN Type: Nim Blog, 30 July 2020 Versions 1.2.6 and 1.0.8 released Source: CONFIRM Type: Release Notes, Third Party Advisory https://nim-lang.org/blog/2020/07/30/versions-126-and-108-released.html | ||||||||||||
| Vulnerable Configuration: | Configuration 1: Denotes that component is vulnerable | ||||||||||||
| Oval Definitions | |||||||||||||
| |||||||||||||
| BACK | |||||||||||||