CVE-2020-15694
Publication date 14 August 2020
Last updated 26 August 2025
Ubuntu priority
Description
In Nim 1.2.4, the standard library httpClient fails to properly validate the server response. For example, httpClient.get().contentLength() does not raise any error if a malicious server provides a negative Content-Length.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| nim | 25.10 questing |
Fixed 1.2.6-1
|
| 25.04 plucky |
Fixed 1.2.6-1
|
|
| 24.04 LTS noble |
Fixed 1.2.6-1
|
|
| 20.04 LTS focal |
Needs evaluation
|
|
| 18.04 LTS bionic |
Needs evaluation
|
|
| 16.04 LTS xenial |
Needs evaluation
|
|
| 14.04 LTS trusty | Not in release |
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
7.5 · High
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | High |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |