Amazon Linux 2023: CVE-2021-38165: Medium priority package update for lynx
Description
Lynx through 2.8.9 mishandles the userinfo subcomponent of a URI, which allows remote attackers to discover cleartext credentials because they may appear in SNI data. A flaw was found in the way lynx parsed URLs with userinfo part containing authentication credentials. These credentials were included in the Server Name Indication (SNI) TLS extension data and sent unencrypted during the TLS connection handshake. This could lead to exposure of authentication credentials to attackers able to eavesdrop on network connection between the lynx browser and the server.
Solution(s)
- amazon-linux-2023-upgrade-lynx
- amazon-linux-2023-upgrade-lynx-debuginfo
- amazon-linux-2023-upgrade-lynx-debugsource
- Lightweight Endpoint Agent
- Live Dashboards
- Real Risk Prioritization
- IT-Integrated Remediation Projects
- Cloud, Virtual, and Container Assessment
- Integrated Threat Feeds
- Easy-to-Use RESTful API
- Automation-Assisted Patching
- Automated Containment
With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.
– Scott Cheney, Manager of Information Security, Sierra View Medical Center