vulnerability
Amazon Linux 2023: CVE-2021-38165: Medium priority package update for lynx
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 3 | (AV:N/AC:H/Au:N/C:P/I:N/A:N) | Aug 7, 2021 | Feb 17, 2025 | Jul 4, 2025 |
Severity
3
CVSS
(AV:N/AC:H/Au:N/C:P/I:N/A:N)
Published
Aug 7, 2021
Added
Feb 17, 2025
Modified
Jul 4, 2025
Description
Lynx through 2.8.9 mishandles the userinfo subcomponent of a URI, which allows remote attackers to discover cleartext credentials because they may appear in SNI data.
A flaw was found in the way lynx parsed URLs with userinfo part containing authentication credentials. These credentials were included in the Server Name Indication (SNI) TLS extension data and sent unencrypted during the TLS connection handshake. This could lead to exposure of authentication credentials to attackers able to eavesdrop on network connection between the lynx browser and the server.
A flaw was found in the way lynx parsed URLs with userinfo part containing authentication credentials. These credentials were included in the Server Name Indication (SNI) TLS extension data and sent unencrypted during the TLS connection handshake. This could lead to exposure of authentication credentials to attackers able to eavesdrop on network connection between the lynx browser and the server.
Solutions
amazon-linux-2023-upgrade-lynxamazon-linux-2023-upgrade-lynx-debuginfoamazon-linux-2023-upgrade-lynx-debugsource
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.