CVE-2013-3587

The HTTPS protocol, as used in unspecified web applications, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which makes it easier for man-in-the-middle attackers to obtain plaintext secret values by observing length differences during a series of guesses in which a string in an HTTP request URL potentially matches an unknown string in an HTTP response body, aka a "BREACH" attack, a different issue than CVE-2012-4929.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.9 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
certccCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 94%
VendorProductVersion
f5big-ip_access_policy_manager
10.1.0 ≤
𝑥
≤ 10.2.4
f5big-ip_access_policy_manager
11.0.0 ≤
𝑥
≤ 11.6.1
f5big-ip_access_policy_manager
12.0.0 ≤
𝑥
≤ 12.1.2
f5big-ip_access_policy_manager
13.0.0
f5big-ip_advanced_firewall_manager
11.3.0 ≤
𝑥
≤ 11.6.1
f5big-ip_advanced_firewall_manager
12.0.0 ≤
𝑥
≤ 12.1.2
f5big-ip_advanced_firewall_manager
13.0.0
f5big-ip_analytics
11.0.0 ≤
𝑥
≤ 11.6.1
f5big-ip_analytics
12.0.0 ≤
𝑥
≤ 12.1.2
f5big-ip_analytics
13.0.0
f5big-ip_application_acceleration_manager
11.4.0 ≤
𝑥
≤ 11.6.1
f5big-ip_application_acceleration_manager
12.0.0 ≤
𝑥
≤ 12.1.2
f5big-ip_application_acceleration_manager
13.0.0
f5big-ip_application_security_manager
9.2.0 ≤
𝑥
≤ 9.4.8
f5big-ip_application_security_manager
10.0.0 ≤
𝑥
≤ 10.2.4
f5big-ip_application_security_manager
11.0.0 ≤
𝑥
≤ 11.6.1
f5big-ip_application_security_manager
12.0.0 ≤
𝑥
≤ 12.1.2
f5big-ip_application_security_manager
13.0.0
f5big-ip_edge_gateway
10.1.0 ≤
𝑥
≤ 10.2.4
f5big-ip_edge_gateway
11.0.0 ≤
𝑥
≤ 11.3.0
f5big-ip_link_controller
9.2.2 ≤
𝑥
≤ 9.4.8
f5big-ip_link_controller
10.0.0 ≤
𝑥
≤ 10.2.4
f5big-ip_link_controller
11.0.0 ≤
𝑥
≤ 11.6.1
f5big-ip_link_controller
12.0.0 ≤
𝑥
≤ 12.1.2
f5big-ip_link_controller
13.0.0
f5big-ip_local_traffic_manager
9.0.0 ≤
𝑥
≤ 9.6.1
f5big-ip_local_traffic_manager
10.0.0 ≤
𝑥
≤ 10.2.4
f5big-ip_local_traffic_manager
11.0.0 ≤
𝑥
≤ 11.6.1
f5big-ip_local_traffic_manager
12.0.0 ≤
𝑥
≤ 12.1.2
f5big-ip_local_traffic_manager
13.0.0
f5big-ip_policy_enforcement_manager
11.3.0 ≤
𝑥
≤ 11.6.1
f5big-ip_policy_enforcement_manager
12.0.0 ≤
𝑥
≤ 12.1.2
f5big-ip_policy_enforcement_manager
13.0.0
f5big-ip_protocol_security_module
9.4.5 ≤
𝑥
≤ 9.4.8
f5big-ip_protocol_security_module
10.0.0 ≤
𝑥
≤ 10.2.4
f5big-ip_protocol_security_module
11.0.0 ≤
𝑥
≤ 11.4.1
f5big-ip_wan_optimization_manager
10.0.0 ≤
𝑥
≤ 10.2.4
f5big-ip_wan_optimization_manager
11.0.0 ≤
𝑥
≤ 11.3.0
f5big-ip_webaccelerator
9.4.0 ≤
𝑥
≤ 9.4.8
f5big-ip_webaccelerator
10.0.0 ≤
𝑥
≤ 10.2.4
f5big-ip_webaccelerator
11.0.0 ≤
𝑥
≤ 11.3.0
f5firepass
6.0.0 ≤
𝑥
≤ 6.1.0
f5firepass
7.0.0
f5arx
5.0.0 ≤
𝑥
≤ 5.3.1
f5arx
6.0.0 ≤
𝑥
≤ 6.4.0
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
openssl
raring
not-affected
quantal
not-affected
precise
not-affected
lucid
not-affected
Common Weakness Enumeration
References
http://breachattack.com/
http://github.com/meldium/breach-mitigation-rails
http://security.stackexchange.com/questions/20406/is-http-compression-safe#20407
http://slashdot.org/story/13/08/05/233216
http://www.iacr.org/cryptodb/archive/2002/FSE/3091/3091.pdf
http://www.kb.cert.org/vuls/id/987798
https://bugzilla.redhat.com/show_bug.cgi?id=995168
https://hackerone.com/reports/254895
https://lists.apache.org/thread.html/r7f0e9cfd166934172d43ca4c272b8bdda4a343036229d9937affd1e1%40%3Cdev.httpd.apache.org%3E
https://support.f5.com/csp/article/K14634
https://www.blackhat.com/us-13/briefings.html#Prado
https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/
http://breachattack.com/
http://github.com/meldium/breach-mitigation-rails
http://security.stackexchange.com/questions/20406/is-http-compression-safe#20407
http://slashdot.org/story/13/08/05/233216
http://www.iacr.org/cryptodb/archive/2002/FSE/3091/3091.pdf
http://www.kb.cert.org/vuls/id/987798
https://bugzilla.redhat.com/show_bug.cgi?id=995168
https://hackerone.com/reports/254895
https://lists.apache.org/thread.html/r7f0e9cfd166934172d43ca4c272b8bdda4a343036229d9937affd1e1%40%3Cdev.httpd.apache.org%3E
https://support.f5.com/csp/article/K14634
https://www.blackhat.com/us-13/briefings.html#Prado
https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/