vulnerability

SUSE: CVE-2021-41259: SUSE Linux Security Advisory

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
8	(AV:N/AC:L/Au:N/C:P/I:P/A:P)	Nov 12, 2021	Dec 16, 2021	Apr 10, 2023

Severity

CVSS

(AV:N/AC:L/Au:N/C:P/I:P/A:P)

Published

Nov 12, 2021

Added

Dec 16, 2021

Modified

Apr 10, 2023

Description

Nim is a systems programming language with a focus on efficiency, expressiveness, and elegance. In affected versions the uri.parseUri function which may be used to validate URIs accepts null bytes in the input URI. This behavior could be used to bypass URI validation. For example: parseUri("http://localhost\0hello").hostname is set to "localhost\0hello". Additionally, httpclient.getContent accepts null bytes in the input URL and ignores any data after the first null byte. Example: getContent("http://localhost\0hello") makes a request to localhost:80. An attacker can use a null bytes to bypass the check and mount a SSRF attack.

Solution

suse-upgrade-nim

References

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today