Lucene search

[email protected]CVE-2021-38165

HistoryAug 07, 2021 - 6:15 p.m.

CVE-2021-38165

2021-08-0718:15:00

CWE-522

[email protected]

web.nvd.nist.gov

173

lynx

cve-2021-38165

uri

remote attackers

cleartext credentials

sni data

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

5.3 Medium

AI Score

Confidence

High

2.6 Low

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:H/Au:N/C:P/I:N/A:N

0.006 Low

EPSS

Percentile

78.6%

JSON

Lynx through 2.8.9 mishandles the userinfo subcomponent of a URI, which allows remote attackers to discover cleartext credentials because they may appear in SNI data.

CPENameOperatorVersion
lynx_project:lynxlynx project lynxle2.8.9
debian:debian_linuxdebian debian linuxeq9.0
debian:debian_linuxdebian debian linuxeq10.0
fedoraproject:fedorafedoraproject fedoraeq33
fedoraproject:fedorafedoraproject fedoraeq34
fedoraproject:fedorafedoraproject fedoraeq35

CPE	Name	Operator	Version
lynx_project:lynx	lynx project lynx	le	2.8.9
debian:debian_linux	debian debian linux	eq	9.0
debian:debian_linux	debian debian linux	eq	10.0
fedoraproject:fedora	fedoraproject fedora	eq	33
fedoraproject:fedora	fedoraproject fedora	eq	34
fedoraproject:fedora	fedoraproject fedora	eq	35