CVE-2021-38165 — Insufficiently Protected Credentials in Lynx

CWE-522 — Insufficiently Protected Credentials7 documents6 sources

Severity

5.3MEDIUMNVD

OSV7.5

EPSS

4.3%

top 11.12%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Lynx Project Lynx Debian Lynx Debian Linux +1 more

Timeline

PublishedAug 7

Latest updateMay 24

Description

Lynx through 2.8.9 mishandles the userinfo subcomponent of a URI, which allows remote attackers to discover cleartext credentials because they may appear in SNI data.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 1.6 | Impact: 3.6

Affected Packages3 packages

▶debiandebian/lynx< lynx 2.9.0dev.6-3 (bookworm)

▶Debianlynx_project/lynx< 2.9.0dev.6-3~deb11u1+3

▶NVDlynx_project/lynx2.8.9

Also affects: Debian Linux 10.0, 9.0, Fedora 33, 34, 35

🔴Vulnerability Details

GHSA

GHSA-88f3-hp86-v36f: Lynx through 2↗2022-05-24

▶

OSV

CVE-2021-38165: Lynx through 2↗2021-08-07

▶

OSV

lynx vulnerabilities↗2021-03-15

▶

📋Vendor Advisories

Red Hat

lynx: Disclosure of HTTP authentication credentials via SNI data↗2021-08-07

▶

Ubuntu

Lynx vulnerabilities↗2021-03-15

▶

Debian

CVE-2021-38165: lynx - Lynx through 2.8.9 mishandles the userinfo subcomponent of a URI, which allows r...↗2021

▶