CVE-2021-21373: 
Nim vulnerability analysis and mitigation

CVE-2021-21373 is a security vulnerability affecting Nimble, the package manager for the Nim programming language, in versions prior to 1.2.10 and 1.4.4. The vulnerability was discovered in February 2021 and publicly disclosed on March 26, 2021. The issue relates to insecure fallback behavior when fetching package lists, where Nimble would default to an unencrypted HTTP connection if HTTPS fails (GitHub Advisory).

When executing the 'nimble refresh' command to fetch package lists, if an HTTPS connection fails, Nimble automatically falls back to using an insecure HTTP URL (http://irclogs.nim-lang.org/packages.json). This fallback behavior occurs without proper user notification or consent. The vulnerability has been assigned a CVSS v3.1 score of 7.5 (High), with the following metrics: Attack Vector: Network, Attack Complexity: High, Privileges Required: None, User Interaction: Required, Scope: Changed, Confidentiality: Low, Integrity: High, Availability: Low (GitHub Advisory).

An attacker capable of performing a Man-in-the-Middle (MitM) attack can exploit this vulnerability to deliver modified package lists containing malicious software packages. If these compromised packages are subsequently installed and used, the attack can escalate to untrusted code execution on the target system (GitHub Advisory, Consensys).

The vulnerability has been patched in Nim versions 1.2.10 and 1.4.4. Users are advised to upgrade to these or later versions to protect against this security issue (GitHub Advisory).