CVE-2020-15694

Publication date 14 August 2020

Last updated 24 July 2024


Ubuntu priority

Cvss 3 Severity Score

7.5 · High

Score breakdown

In Nim 1.2.4, the standard library httpClient fails to properly validate the server response. For example, httpClient.get().contentLength() does not raise any error if a malicious server provides a negative Content-Length.

Status

Package Ubuntu Release Status
nim 24.10 oracular
Fixed 1.2.6-1
24.04 LTS noble
Fixed 1.2.6-1
23.10 mantic
Fixed 1.2.6-1
23.04 lunar
Fixed 1.2.6-1
21.10 impish
Fixed 1.2.6-1
21.04 hirsute
Fixed 1.2.6-1
20.10 groovy
Fixed 1.2.6-1
20.04 LTS focal
Needs evaluation
18.04 LTS bionic
Needs evaluation
16.04 LTS xenial
Needs evaluation
14.04 LTS trusty Not in release

Severity score breakdown

Parameter Value
Base score 7.5 · High
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Scope Unchanged
Confidentiality None
Integrity impact High
Availability impact None
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N