CVE-2021-38165
First published: Fri Aug 06 2021(Updated: )
Lynx through 2.8.9 mishandles the userinfo subcomponent of a URI, which allows remote attackers to discover cleartext credentials because they may appear in SNI data.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/lynx | 2.8.9rel.1-3+deb10u1 2.9.0dev.6-3~deb11u1 2.9.0dev.12-1 | |
| debian/lynx-cur | <=2.8.9dev1-2+deb8u1 | |
| debian/lynx | <=2.8.9rel.1-3<=2.8.9dev11-1<=2.9.0dev.8-1<=2.9.0dev.6-2 | 2.9.0dev.9-1 2.9.0dev.6-3 2.9.0dev.6-3~deb11u1 2.8.9rel.1-3+deb10u1 |
| Lynx Project Lynx | <=2.8.9 | |
| Debian Debian Linux | =9.0 | |
| Debian Debian Linux | =10.0 | |
| Fedoraproject Fedora | =33 | |
| Fedoraproject Fedora | =34 | |
| Fedoraproject Fedora | =35 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://lists.nongnu.org/archive/html/lynx-dev/2021-08/msg00002.html
- https://lynx.invisible-island.net/current/CHANGES.html#v2.9.0dev.9
- https://invisible-mirror.net/archives/lynx/patches/lynx2.9.0dev.9.patch.gz
- https://security-tracker.debian.org/tracker/CVE-2021-38165
- https://lists.nongnu.org/archive/html/lynx-dev/2021-08/msg00000.html
- https://user:pass@host/
- https://user@host/
- https://bugs.debian.org/991971
- https://people.debian.org/~abe/
- https://foo:bar@example.com
- https://user:password@host/
- https://user@host/;
- https://lynx.invisible-island.net/current/CHANGES.html
- https://www.openwall.com/lists/oss-security/2021/08/07/7
- https://invisible-island.net
- https://user:pass@example.org/
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991971
- http://www.openwall.com/lists/oss-security/2021/08/07/11
- http://www.openwall.com/lists/oss-security/2021/08/07/12
- http://www.openwall.com/lists/oss-security/2021/08/07/9
- https://github.com/w3c/libwww/blob/f010b4cc58d32f34b162f0084fe093f7097a61f0/Library/src/HTParse.c#L118
- https://lists.debian.org/debian-lts-announce/2021/08/msg00010.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7YMUHFJJWTZ6HBHTYXVDPNZINGGURHDW/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K6PZF7JNTFCOJ62HXZG4Q2NEHSZ6IO2V/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VKNK7GQBJBUBMJVNKVC7RTCYWUYMFJQW/
- https://www.debian.org/security/2021/dsa-4953
- https://www.openwall.com/lists/oss-security/2021/08/07/1
- https://www.openwall.com/lists/oss-security/2021/08/07/11
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VKNK7GQBJBUBMJVNKVC7RTCYWUYMFJQW/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K6PZF7JNTFCOJ62HXZG4Q2NEHSZ6IO2V/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7YMUHFJJWTZ6HBHTYXVDPNZINGGURHDW/
Frequently Asked Questions
What is the vulnerability ID for this vulnerability?
The vulnerability ID for this vulnerability is CVE-2021-38165.
What is the severity of CVE-2021-38165?
The severity of CVE-2021-38165 is medium with a CVSS score of 5.3.
What is the affected software?
The affected software is Lynx versions 2.8.9 and prior.
How can remote attackers exploit CVE-2021-38165?
Remote attackers can exploit CVE-2021-38165 by discovering cleartext credentials through the mishandling of the userinfo subcomponent of a URI.
Are there any known references for CVE-2021-38165?
Yes, there are references available for CVE-2021-38165. You can find them at the following links: [link1](http://www.openwall.com/lists/oss-security/2021/08/07/11), [link2](http://www.openwall.com/lists/oss-security/2021/08/07/12), [link3](http://www.openwall.com/lists/oss-security/2021/08/07/9).
- collector/security-tracker-debian
- collector/debian-bugs
- alias/CVE-2021-38165
- collector/nvd-index
- agent/severity
- agent/weakness
- agent/references
- agent/author
- agent/description
- agent/type
- agent/event
- agent/softwarecombine
- agent/last-modified-date
- agent/tags
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- package-manager/debian
- vendor/lynx project
- canonical/lynx project lynx
- version/lynx project lynx/2.8.9
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- version/debian debian linux/10.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/33
- version/fedoraproject fedora/34
- version/fedoraproject fedora/35