The HTTPS protocol, as used in unspecified web applications, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which makes it easier for man-in-the-middle attackers to obtain plaintext secret values by observing length differences during a series of guesses in which a string in an HTTP request URL potentially matches an unknown string in an HTTP response body, aka a "BREACH" attack, a different issue than CVE-2012-4929.
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
Configuration 4 (hide)
|
Configuration 5 (hide)
|
Configuration 6 (hide)
|
Configuration 7 (hide)
|
Configuration 8 (hide)
|
Configuration 9 (hide)
|
Configuration 10 (hide)
|
Configuration 11 (hide)
|
Configuration 12 (hide)
|
Configuration 13 (hide)
|
Configuration 14 (hide)
|
History
21 Nov 2024, 01:53
Type | Values Removed | Values Added |
---|---|---|
References | () http://breachattack.com/ - Third Party Advisory | |
References | () http://github.com/meldium/breach-mitigation-rails - Third Party Advisory | |
References | () http://security.stackexchange.com/questions/20406/is-http-compression-safe#20407 - Exploit, Third Party Advisory | |
References | () http://slashdot.org/story/13/08/05/233216 - Third Party Advisory | |
References | () http://www.iacr.org/cryptodb/archive/2002/FSE/3091/3091.pdf - Third Party Advisory | |
References | () http://www.kb.cert.org/vuls/id/987798 - Third Party Advisory, US Government Resource | |
References | () https://bugzilla.redhat.com/show_bug.cgi?id=995168 - Issue Tracking, Third Party Advisory | |
References | () https://hackerone.com/reports/254895 - Exploit, Third Party Advisory | |
References | () https://lists.apache.org/thread.html/r7f0e9cfd166934172d43ca4c272b8bdda4a343036229d9937affd1e1%40%3Cdev.httpd.apache.org%3E - | |
References | () https://support.f5.com/csp/article/K14634 - Third Party Advisory | |
References | () https://www.blackhat.com/us-13/briefings.html#Prado - Third Party Advisory | |
References | () https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/ - Third Party Advisory |
01 Jan 2022, 19:44
Type | Values Removed | Values Added |
---|---|---|
References | (MLIST) https://lists.apache.org/thread.html/r7f0e9cfd166934172d43ca4c272b8bdda4a343036229d9937affd1e1@%3Cdev.httpd.apache.org%3E - Mailing List, Third Party Advisory |
Information
Published : 2020-02-21 18:15
Updated : 2024-11-21 01:53
NVD link : CVE-2013-3587
Mitre link : CVE-2013-3587
CVE.ORG link : CVE-2013-3587
JSON object : View
Products Affected
f5
- big-ip_application_security_manager
- big-ip_application_acceleration_manager
- big-ip_policy_enforcement_manager
- arx
- big-ip_edge_gateway
- big-ip_wan_optimization_manager
- big-ip_link_controller
- big-ip_local_traffic_manager
- big-ip_webaccelerator
- big-ip_advanced_firewall_manager
- big-ip_access_policy_manager
- firepass
- big-ip_protocol_security_module
- big-ip_analytics
CWE
CWE-200
Exposure of Sensitive Information to an Unauthorized Actor