CVE-2013-3587
Last modified
CVE-2013-3587 is a medium-severity vulnerability rated 5.9/10 on the CVSS scale. The HTTPS protocol, as used in unspecified web applications, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which makes it easier for man-in-the-middle attackers to obtain plaintext secret values by observing length differences during a series of guesses in which a string in an HTTP request URL potentially matches an unknown string in an HTTP response body, aka a "BREACH" attack, a different issue than CVE-2012-4929.. EPSS estimates a 6.05% chance of exploitation in the next 30 days.
Description
The HTTPS protocol, as used in unspecified web applications, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which makes it easier for man-in-the-middle attackers to obtain plaintext secret values by observing length differences during a series of guesses in which a string in an HTTP request URL potentially matches an unknown string in an HTTP response body, aka a "BREACH" attack, a different issue than CVE-2012-4929.
Metrics
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| F5 | Big-Ip Access Policy Manager | >= 10.1.0, <= 10.2.4 |
| F5 | Big-Ip Access Policy Manager | >= 11.0.0, <= 11.6.1 |
| F5 | Big-Ip Access Policy Manager | >= 12.0.0, <= 12.1.2 |
| F5 | Big-Ip Access Policy Manager | 13.0.0 |
| F5 | Big-Ip Advanced Firewall Manager | >= 11.3.0, <= 11.6.1 |
| F5 | Big-Ip Advanced Firewall Manager | >= 12.0.0, <= 12.1.2 |
| F5 | Big-Ip Advanced Firewall Manager | 13.0.0 |
| F5 | Big-Ip Analytics | >= 11.0.0, <= 11.6.1 |
| F5 | Big-Ip Analytics | >= 12.0.0, <= 12.1.2 |
| F5 | Big-Ip Analytics | 13.0.0 |
| F5 | Big-Ip Application Acceleration Manager | >= 11.4.0, <= 11.6.1 |
| F5 | Big-Ip Application Acceleration Manager | >= 12.0.0, <= 12.1.2 |
| F5 | Big-Ip Application Acceleration Manager | 13.0.0 |
| F5 | Big-Ip Application Security Manager | >= 9.2.0, <= 9.4.8 |
| F5 | Big-Ip Application Security Manager | >= 10.0.0, <= 10.2.4 |
| F5 | Big-Ip Application Security Manager | >= 11.0.0, <= 11.6.1 |
| F5 | Big-Ip Application Security Manager | >= 12.0.0, <= 12.1.2 |
| F5 | Big-Ip Application Security Manager | 13.0.0 |
| F5 | Big-Ip Edge Gateway | >= 10.1.0, <= 10.2.4 |
| F5 | Big-Ip Edge Gateway | >= 11.0.0, <= 11.3.0 |
| F5 | Big-Ip Link Controller | >= 9.2.2, <= 9.4.8 |
| F5 | Big-Ip Link Controller | >= 10.0.0, <= 10.2.4 |
| F5 | Big-Ip Link Controller | >= 11.0.0, <= 11.6.1 |
| F5 | Big-Ip Link Controller | >= 12.0.0, <= 12.1.2 |
| F5 | Big-Ip Link Controller | 13.0.0 |
| F5 | Big-Ip Local Traffic Manager | >= 9.0.0, <= 9.6.1 |
| F5 | Big-Ip Local Traffic Manager | >= 10.0.0, <= 10.2.4 |
| F5 | Big-Ip Local Traffic Manager | >= 11.0.0, <= 11.6.1 |
| F5 | Big-Ip Local Traffic Manager | >= 12.0.0, <= 12.1.2 |
| F5 | Big-Ip Local Traffic Manager | 13.0.0 |
| F5 | Big-Ip Policy Enforcement Manager | >= 11.3.0, <= 11.6.1 |
| F5 | Big-Ip Policy Enforcement Manager | >= 12.0.0, <= 12.1.2 |
| F5 | Big-Ip Policy Enforcement Manager | 13.0.0 |
| F5 | Big-Ip Protocol Security Module | >= 9.4.5, <= 9.4.8 |
| F5 | Big-Ip Protocol Security Module | >= 10.0.0, <= 10.2.4 |
| F5 | Big-Ip Protocol Security Module | >= 11.0.0, <= 11.4.1 |
| F5 | Big-Ip Wan Optimization Manager | >= 10.0.0, <= 10.2.4 |
| F5 | Big-Ip Wan Optimization Manager | >= 11.0.0, <= 11.3.0 |
| F5 | Big-Ip Webaccelerator | >= 9.4.0, <= 9.4.8 |
| F5 | Big-Ip Webaccelerator | >= 10.0.0, <= 10.2.4 |
| F5 | Big-Ip Webaccelerator | >= 11.0.0, <= 11.3.0 |
| F5 | Firepass | >= 6.0.0, <= 6.1.0 |
| F5 | Firepass | 7.0.0 |
| F5 | Arx | >= 5.0.0, <= 5.3.1 |
| F5 | Arx | >= 6.0.0, <= 6.4.0 |
References
- http://breachattack.com/Third Party Advisory
- http://github.com/meldium/breach-mitigation-railsThird Party Advisory
- http://security.stackexchange.com/questions/20406/is-http-compression-safe#20407Exploit, Third Party Advisory
- http://slashdot.org/story/13/08/05/233216Third Party Advisory
- http://www.iacr.org/cryptodb/archive/2002/FSE/3091/3091.pdfThird Party Advisory
- http://www.kb.cert.org/vuls/id/987798Third Party Advisory, US Government Resource
- https://bugzilla.redhat.com/show_bug.cgi?id=995168Issue Tracking, Third Party Advisory
- https://hackerone.com/reports/254895Exploit, Third Party Advisory
- https://support.f5.com/csp/article/K14634Third Party Advisory
- https://www.blackhat.com/us-13/briefings.html#PradoThird Party Advisory
- https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/Third Party Advisory
- http://breachattack.com/Third Party Advisory
- http://github.com/meldium/breach-mitigation-railsThird Party Advisory
- http://security.stackexchange.com/questions/20406/is-http-compression-safe#20407Exploit, Third Party Advisory
- http://slashdot.org/story/13/08/05/233216Third Party Advisory
- http://www.iacr.org/cryptodb/archive/2002/FSE/3091/3091.pdfThird Party Advisory
- http://www.kb.cert.org/vuls/id/987798Third Party Advisory, US Government Resource
- https://bugzilla.redhat.com/show_bug.cgi?id=995168Issue Tracking, Third Party Advisory
- https://hackerone.com/reports/254895Exploit, Third Party Advisory
- https://support.f5.com/csp/article/K14634Third Party Advisory
- https://www.blackhat.com/us-13/briefings.html#PradoThird Party Advisory
- https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2013-3587?
How severe is CVE-2013-3587?
How do I fix CVE-2013-3587?
Are you affected by CVE-2013-3587?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST