CVE-2021-38165

MEDIUM

Lynx <2.8.9 - Info Disclosure

Title source: llm

Description

Lynx through 2.8.9 mishandles the userinfo subcomponent of a URI, which allows remote attackers to discover cleartext credentials because they may appear in SNI data.

References (13)

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2021/08/07/11

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2021/08/07/12

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2021/08/07/9

[Issue Tracking, Third Party Advisory] https://bugs.debian.org/991971

[Third Party Advisory] https://github.com/w3c/libwww/blob/f010b4cc58d32f34b162f0084fe093f7097a61f0/Library/src/HTParse.c#L118

View Writeup ZIP pw:eip

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2021/08/msg00010.html

[Release Notes, Third Party Advisory] https://lynx.invisible-island.net/current/CHANGES.html

[Third Party Advisory] https://www.debian.org/security/2021/dsa-4953

[Mailing List, Third Party Advisory] https://www.openwall.com/lists/oss-security/2021/08/07/1

[Mailing List] https://www.openwall.com/lists/oss-security/2021/08/07/11

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7YMUHFJJWTZ6HBHTYXVDPNZINGGURHDW/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K6PZF7JNTFCOJ62HXZG4Q2NEHSZ6IO2V/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VKNK7GQBJBUBMJVNKVC7RTCYWUYMFJQW/

Scores

CVSS v3 5.3

EPSS 0.0428

EPSS Percentile 88.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

Classification

CWE

CWE-522

Status published

Affected Products (6)

lynx_project/lynx < 2.8.9

debian/debian_linux

fedoraproject/fedora

Timeline

Published Aug 07, 2021

Tracked Since Feb 18, 2026