CVE-2021-38165

CVE-2021-38165

Name

CVE-2021-38165

Description

Lynx through 2.8.9 mishandles the userinfo subcomponent of a URI, which allows remote attackers to discover cleartext credentials because they may appear in SNI data.

NVD Severity

medium

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
MISC	https://www.openwall.com/lists/oss-security/2021/08/07/7
MISC	https://www.openwall.com/lists/oss-security/2021/08/07/1
MISC	https://github.com/w3c/libwww/blob/f010b4cc58d32f34b162f0084fe093f7097a61f0/Library/src/HTParse.c#L118
MISC	https://lynx.invisible-island.net/current/CHANGES.html
MISC	https://bugs.debian.org/991971
MISC	https://www.openwall.com/lists/oss-security/2021/08/07/11
MLIST	http://www.openwall.com/lists/oss-security/2021/08/07/9
MLIST	http://www.openwall.com/lists/oss-security/2021/08/07/12
MLIST	http://www.openwall.com/lists/oss-security/2021/08/07/11
MLIST	https://lists.debian.org/debian-lts-announce/2021/08/msg00010.html
DEBIAN	https://www.debian.org/security/2021/dsa-4953
FEDORA	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VKNK7GQBJBUBMJVNKVC7RTCYWUYMFJQW/
FEDORA	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K6PZF7JNTFCOJ62HXZG4Q2NEHSZ6IO2V/
FEDORA	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7YMUHFJJWTZ6HBHTYXVDPNZINGGURHDW/

Type

URI

MISC

https://www.openwall.com/lists/oss-security/2021/08/07/7

MISC

https://www.openwall.com/lists/oss-security/2021/08/07/1

MISC

https://github.com/w3c/libwww/blob/f010b4cc58d32f34b162f0084fe093f7097a61f0/Library/src/HTParse.c#L118

MISC

https://lynx.invisible-island.net/current/CHANGES.html

MISC

https://bugs.debian.org/991971

MISC

https://www.openwall.com/lists/oss-security/2021/08/07/11

MLIST

http://www.openwall.com/lists/oss-security/2021/08/07/9

MLIST

http://www.openwall.com/lists/oss-security/2021/08/07/12

MLIST

http://www.openwall.com/lists/oss-security/2021/08/07/11

MLIST

https://lists.debian.org/debian-lts-announce/2021/08/msg00010.html

DEBIAN

https://www.debian.org/security/2021/dsa-4953

FEDORA

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VKNK7GQBJBUBMJVNKVC7RTCYWUYMFJQW/

FEDORA

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K6PZF7JNTFCOJ62HXZG4Q2NEHSZ6IO2V/

FEDORA

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7YMUHFJJWTZ6HBHTYXVDPNZINGGURHDW/

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:lynx_project:lynx::::::::`	lynx	>= None	<= 2.8.9

CPE URI

Source package

Min version

Max version

cpe:2.3:a:lynx_project:lynx:*:*:*:*:*:*:*:*

lynx

>= None

<= 2.8.9

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
lynx	edge-main	2.8.9_p1-r3	Sheila Aman <sheila@vulpine.house>	fixed
lynx	3.22-main	2.8.9_p1-r3	None	fixed
lynx	3.21-main	2.8.9_p1-r3	None	fixed
lynx	3.20-main	2.8.9_p1-r3	None	fixed
lynx	3.19-main	2.8.9_p1-r3	None	fixed
lynx	3.18-main	2.8.9_p1-r3	None	fixed
lynx	3.17-main	2.8.9_p1-r3	None	fixed
lynx	3.11-main	2.8.8_p2-r1	Kiyoshi Aman <kiyoshi.aman@gmail.com>	possibly vulnerable

Source package

Branch

Version

Maintainer

Status

lynx

edge-main

2.8.9_p1-r3

Sheila Aman <sheila@vulpine.house>

fixed

lynx

3.22-main