CVE-2021-38165: 
NixOS vulnerability analysis and mitigation

Lynx through version 2.8.9 contains a vulnerability (CVE-2021-38165) where it mishandles the userinfo subcomponent of a URI, allowing remote attackers to discover cleartext credentials because they may appear in Server Name Indication (SNI) data during TLS handshakes. The vulnerability was discovered in August 2021 (Openwall List).

The vulnerability stems from Lynx's improper handling of the userinfo part of URIs (e.g., https://user:pass@example.com). When establishing TLS connections, Lynx would include the full URI including credentials in the SNI extension data, which is sent in cleartext during the TLS handshake. This occurs even before the user can respond to certificate validation prompts. The issue was confirmed through packet capture analysis showing credentials being exposed in the SNI data (Openwall List). The vulnerability has a CVSS v3.1 Base Score of 5.3 (MEDIUM) with vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N (NVD).

The vulnerability allows remote attackers to discover authentication credentials in cleartext by capturing network traffic during TLS handshakes. This exposure occurs even if the user chooses not to proceed with an untrusted connection, as the SNI data is sent before certificate validation (Openwall List).

The vulnerability was fixed in Lynx version 2.9.0dev.9 by adding proper stripping of user/password information from the hostname before using it in SNI data (Lynx Changes). Various distributions have released security updates including Debian (DSA-4953-1) and Fedora (Debian Security, Fedora Update).