CVE-2021-38165

Summary

CVE	CVE-2021-38165
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2021-08-07 18:15:00 UTC
Updated	2023-11-07 03:37:00 UTC
Description	Lynx through 2.8.9 mishandles the userinfo subcomponent of a URI, which allows remote attackers to discover cleartext credentials because they may appear in SNI data.

Risk And Classification

Problem Types: CWE-522

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Debian	Debian Linux	10.0	All	All	All
Operating System	Debian	Debian Linux	9.0	All	All	All
Operating System	Fedoraproject	Fedora	33	All	All	All
Operating System	Fedoraproject	Fedora	34	All	All	All
Operating System	Fedoraproject	Fedora	35	All	All	All
Application	Lynx Project	Lynx	All	All	All	All

References

Reference	Source	Link	Tags
oss-security - Re: [Lynx-dev] bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances)	MISC	www.openwall.com
Debian -- Security Information -- DSA-4953-1 lynx	DEBIAN	www.debian.org
[SECURITY] Fedora 33 Update: lynx-2.8.9-13.fc33 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
libwww/HTParse.c at f010b4cc58d32f34b162f0084fe093f7097a61f0 · w3c/libwww · GitHub	MISC	github.com
oss-security - Re: Re: Bug#991971: [Lynx-dev] bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances)	MLIST	www.openwall.com
lynx for LYNX	MISC	lynx.invisible-island.net
#991971 - lynx: SSL certificate validation fails with URLs containing user name or user name and password, i.e. https://user:password@host/ and https://user@host/; leaks password in clear text via SNI - Debian Bug report logs	MISC	bugs.debian.org
oss-security - Re: Re: [Lynx-dev] bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances)	MISC	www.openwall.com
oss-security - Re: Re: Bug#991971: [Lynx-dev] bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances)	MISC	www.openwall.com
oss-security - Re: Re: Bug#991971: [Lynx-dev] bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances)	MLIST	www.openwall.com
[SECURITY] Fedora 35 Update: lynx-2.8.9-13.fc35 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
[SECURITY] Fedora 34 Update: lynx-2.8.9-13.fc34 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
oss-security - Re: Bug#991971: [Lynx-dev] bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances)	MLIST	www.openwall.com
[SECURITY] Fedora 34 Update: lynx-2.8.9-13.fc34 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
[SECURITY] [DLA 2736-1] lynx security update	MLIST	lists.debian.org
[SECURITY] Fedora 35 Update: lynx-2.8.9-13.fc35 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
[SECURITY] Fedora 33 Update: lynx-2.8.9-13.fc33 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

178747 Debian Security Update for lynx (DSA 4953-1)
178748 Debian Security Update for lynx (DLA 2736-1)
180403 Debian Security Update for lynx (CVE-2021-38165)
281890 Fedora Security Update for lynx (FEDORA-2021-f59bda7d94)
281918 Fedora Security Update for lynx (FEDORA-2021-232161e4d5)
296060 Oracle Solaris 11.4 Support Repository Update (SRU) 37.0.1.101.1 Missing (CPUJUL2021)
355607 Amazon Linux Security Advisory for lynx : ALAS2-2023-2145
357252 Amazon Linux Security Advisory for lynx : ALAS2023-2024-535
501969 Alpine Linux Security Update for lynx
504129 Alpine Linux Security Update for lynx
940574 AlmaLinux Security Update for lynx (ALSA-2022:2129)
960411 Rocky Linux Security Update for lynx (RLSA-2022:2129)