CVE-2021-38165
5.3 MEDIUMLynx through 2.8.9 mishandles the userinfo subcomponent of a URI, which allows remote attackers to discover cleartext credentials because...
Published: 2021-08-07 · Last updated: 2026-06-17
Severity and scoring
- CVSS
- 5.3 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
- CWE
- CWE-522
Affected products
| Vendor | Product |
|---|---|
| debian | debian_linux, fedora, lynx |
| fedoraproject | debian_linux, fedora, lynx |
| lynx_project | debian_linux, fedora, lynx |
Description
Lynx through 2.8.9 mishandles the userinfo subcomponent of a URI, which allows remote attackers to discover cleartext credentials because they may appear in SNI data.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2021-38165
- [Other]http://www.openwall.com/lists/oss-security/2021/08/07/11
- [Other]http://www.openwall.com/lists/oss-security/2021/08/07/12
- [Other]http://www.openwall.com/lists/oss-security/2021/08/07/9
- [Other]https://bugs.debian.org/991971
- [Other]https://github.com/w3c/libwww/blob/f010b4cc58d32f34b162f0084fe093f7097a61f0/Library/src/HTParse.c#L118
- [Other]https://lists.debian.org/debian-lts-announce/2021/08/msg00010.html
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7YMUHFJJWTZ6HBHTYXVDPNZINGGURHDW/
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K6PZF7JNTFCOJ62HXZG4Q2NEHSZ6IO2V/
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VKNK7GQBJBUBMJVNKVC7RTCYWUYMFJQW/
- [Other]https://lynx.invisible-island.net/current/CHANGES.html
- [Other]https://www.debian.org/security/2021/dsa-4953
- [Other]https://www.openwall.com/lists/oss-security/2021/08/07/1
- [Other]https://www.openwall.com/lists/oss-security/2021/08/07/11
- [Other]http://www.openwall.com/lists/oss-security/2021/08/07/11
- [Other]http://www.openwall.com/lists/oss-security/2021/08/07/12
- [Other]http://www.openwall.com/lists/oss-security/2021/08/07/9
- [Other]https://bugs.debian.org/991971
- [Other]https://github.com/w3c/libwww/blob/f010b4cc58d32f34b162f0084fe093f7097a61f0/Library/src/HTParse.c#L118
- [Other]https://lists.debian.org/debian-lts-announce/2021/08/msg00010.html
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7YMUHFJJWTZ6HBHTYXVDPNZINGGURHDW/
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K6PZF7JNTFCOJ62HXZG4Q2NEHSZ6IO2V/
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VKNK7GQBJBUBMJVNKVC7RTCYWUYMFJQW/
- [Other]https://lynx.invisible-island.net/current/CHANGES.html
- [Other]https://www.debian.org/security/2021/dsa-4953
- [Other]https://www.openwall.com/lists/oss-security/2021/08/07/1
- [Other]https://www.openwall.com/lists/oss-security/2021/08/07/11
Related CVEs
Same vendor
- CVE-2026-49975 — Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP ... (7.5 HIGH)
- CVE-2026-31431 — In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly r... (7.8 HIGH)
- CVE-2026-4775 — A flaw was found in the libtiff library (7.8 HIGH)
- CVE-2026-3497 — Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions (7.5 HIGH)
- CVE-2026-2219 — It was discovered that dpkg-deb (a component of dpkg, the Debian package management system) does not properly validate the end of the dat... (7.5 HIGH)
Same CWE
- CVE-2026-53840 — OpenClaw before 2026.5.12 contains an information disclosure vulnerability in streamable-http MCP servers that forwards operator-configur... (7.1 HIGH)
- CVE-2026-6517 — Mattermost Desktop App versions <=6.1 5.5.13.0 fail to restrict the allow list of domains to which NTLM credentials were forwarded to in ... (6.3 MEDIUM)
- CVE-2026-49949 — CodexBar before 0.33.0 contains a credential forwarding vulnerability that allows network-adjacent attackers to intercept sensitive crede... (5.3 MEDIUM)
- CVE-2024-45636 — IBM Security QRadar EDR 3.12 through 3.12.24 stores user credentials in plain text which can be read by a local privileged user (4.1 MEDIUM)
- CVE-2026-41715 — In specific scenarios involving HTTP redirects from a secure to an insecure endpoint, the Reactor Netty HTTP client may leak credentials (6.1 MEDIUM)