CVE-2013-3587

The HTTPS protocol, as used in unspecified web applications, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which makes it easier for man-in-the-middle attackers to obtain plaintext secret values by observing length differences during a series of guesses in which a string in an HTTP request URL potentially matches an unknown string in an HTTP response body, aka a "BREACH" attack, a different issue than CVE-2012-4929.
References
Link Resource
http://breachattack.com/ Third Party Advisory
http://github.com/meldium/breach-mitigation-rails Third Party Advisory
http://security.stackexchange.com/questions/20406/is-http-compression-safe#20407 Exploit Third Party Advisory
http://slashdot.org/story/13/08/05/233216 Third Party Advisory
http://www.iacr.org/cryptodb/archive/2002/FSE/3091/3091.pdf Third Party Advisory
http://www.kb.cert.org/vuls/id/987798 Third Party Advisory US Government Resource
https://bugzilla.redhat.com/show_bug.cgi?id=995168 Issue Tracking Third Party Advisory
https://hackerone.com/reports/254895 Exploit Third Party Advisory
https://lists.apache.org/thread.html/r7f0e9cfd166934172d43ca4c272b8bdda4a343036229d9937affd1e1%40%3Cdev.httpd.apache.org%3E
https://support.f5.com/csp/article/K14634 Third Party Advisory
https://www.blackhat.com/us-13/briefings.html#Prado Third Party Advisory
https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/ Third Party Advisory
http://breachattack.com/ Third Party Advisory
http://github.com/meldium/breach-mitigation-rails Third Party Advisory
http://security.stackexchange.com/questions/20406/is-http-compression-safe#20407 Exploit Third Party Advisory
http://slashdot.org/story/13/08/05/233216 Third Party Advisory
http://www.iacr.org/cryptodb/archive/2002/FSE/3091/3091.pdf Third Party Advisory
http://www.kb.cert.org/vuls/id/987798 Third Party Advisory US Government Resource
https://bugzilla.redhat.com/show_bug.cgi?id=995168 Issue Tracking Third Party Advisory
https://hackerone.com/reports/254895 Exploit Third Party Advisory
https://lists.apache.org/thread.html/r7f0e9cfd166934172d43ca4c272b8bdda4a343036229d9937affd1e1%40%3Cdev.httpd.apache.org%3E
https://support.f5.com/csp/article/K14634 Third Party Advisory
https://www.blackhat.com/us-13/briefings.html#Prado Third Party Advisory
https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/ Third Party Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_access_policy_manager:13.0.0:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_advanced_firewall_manager:13.0.0:*:*:*:*:*:*:*

Configuration 3 (hide)

OR cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_analytics:13.0.0:*:*:*:*:*:*:*

Configuration 4 (hide)

OR cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_application_acceleration_manager:13.0.0:*:*:*:*:*:*:*

Configuration 5 (hide)

OR cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_application_security_manager:13.0.0:*:*:*:*:*:*:*

Configuration 6 (hide)

OR cpe:2.3:a:f5:big-ip_edge_gateway:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_edge_gateway:*:*:*:*:*:*:*:*

Configuration 7 (hide)

OR cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_link_controller:13.0.0:*:*:*:*:*:*:*

Configuration 8 (hide)

OR cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_local_traffic_manager:13.0.0:*:*:*:*:*:*:*

Configuration 9 (hide)

OR cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_policy_enforcement_manager:13.0.0:*:*:*:*:*:*:*

Configuration 10 (hide)

OR cpe:2.3:a:f5:big-ip_protocol_security_module:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_protocol_security_module:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_protocol_security_module:*:*:*:*:*:*:*:*

Configuration 11 (hide)

OR cpe:2.3:a:f5:big-ip_wan_optimization_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_wan_optimization_manager:*:*:*:*:*:*:*:*

Configuration 12 (hide)

OR cpe:2.3:a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:*

Configuration 13 (hide)

OR cpe:2.3:a:f5:firepass:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:firepass:7.0.0:*:*:*:*:*:*:*

Configuration 14 (hide)

OR cpe:2.3:a:f5:arx:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:arx:*:*:*:*:*:*:*:*

History

21 Nov 2024, 01:53

Type Values Removed Values Added
References () http://breachattack.com/ - Third Party Advisory () http://breachattack.com/ - Third Party Advisory
References () http://github.com/meldium/breach-mitigation-rails - Third Party Advisory () http://github.com/meldium/breach-mitigation-rails - Third Party Advisory
References () http://security.stackexchange.com/questions/20406/is-http-compression-safe#20407 - Exploit, Third Party Advisory () http://security.stackexchange.com/questions/20406/is-http-compression-safe#20407 - Exploit, Third Party Advisory
References () http://slashdot.org/story/13/08/05/233216 - Third Party Advisory () http://slashdot.org/story/13/08/05/233216 - Third Party Advisory
References () http://www.iacr.org/cryptodb/archive/2002/FSE/3091/3091.pdf - Third Party Advisory () http://www.iacr.org/cryptodb/archive/2002/FSE/3091/3091.pdf - Third Party Advisory
References () http://www.kb.cert.org/vuls/id/987798 - Third Party Advisory, US Government Resource () http://www.kb.cert.org/vuls/id/987798 - Third Party Advisory, US Government Resource
References () https://bugzilla.redhat.com/show_bug.cgi?id=995168 - Issue Tracking, Third Party Advisory () https://bugzilla.redhat.com/show_bug.cgi?id=995168 - Issue Tracking, Third Party Advisory
References () https://hackerone.com/reports/254895 - Exploit, Third Party Advisory () https://hackerone.com/reports/254895 - Exploit, Third Party Advisory
References () https://lists.apache.org/thread.html/r7f0e9cfd166934172d43ca4c272b8bdda4a343036229d9937affd1e1%40%3Cdev.httpd.apache.org%3E - () https://lists.apache.org/thread.html/r7f0e9cfd166934172d43ca4c272b8bdda4a343036229d9937affd1e1%40%3Cdev.httpd.apache.org%3E -
References () https://support.f5.com/csp/article/K14634 - Third Party Advisory () https://support.f5.com/csp/article/K14634 - Third Party Advisory
References () https://www.blackhat.com/us-13/briefings.html#Prado - Third Party Advisory () https://www.blackhat.com/us-13/briefings.html#Prado - Third Party Advisory
References () https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/ - Third Party Advisory () https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/ - Third Party Advisory

01 Jan 2022, 19:44

Type Values Removed Values Added
References (MLIST) https://lists.apache.org/thread.html/r7f0e9cfd166934172d43ca4c272b8bdda4a343036229d9937affd1e1@%3Cdev.httpd.apache.org%3E - (MLIST) https://lists.apache.org/thread.html/r7f0e9cfd166934172d43ca4c272b8bdda4a343036229d9937affd1e1@%3Cdev.httpd.apache.org%3E - Mailing List, Third Party Advisory

Information

Published : 2020-02-21 18:15

Updated : 2024-11-21 01:53


NVD link : CVE-2013-3587

Mitre link : CVE-2013-3587

CVE.ORG link : CVE-2013-3587


JSON object : View

Products Affected

f5

  • big-ip_application_security_manager
  • big-ip_application_acceleration_manager
  • big-ip_policy_enforcement_manager
  • arx
  • big-ip_edge_gateway
  • big-ip_wan_optimization_manager
  • big-ip_link_controller
  • big-ip_local_traffic_manager
  • big-ip_webaccelerator
  • big-ip_advanced_firewall_manager
  • big-ip_access_policy_manager
  • firepass
  • big-ip_protocol_security_module
  • big-ip_analytics
CWE
CWE-200

Exposure of Sensitive Information to an Unauthorized Actor