CVE-2013-3587
The HTTPS protocol, as used in unspecified web applications, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which makes it easier for man-in-the-middle attackers to obtain plaintext secret values by observing length differences during a series of guesses in which a string in an HTTP request URL potentially matches an unknown string in an HTTP response body, aka a "BREACH" attack, a different issue than CVE-2012-4929.
Published at
2020-02-21T18:15Z
1549 days ago
Modified
2022-01-01T19:44Z
869 days ago
CWE-200
Problem type
Impact
- CVSS v3 vector string
- CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Severity Score Vector
5.9CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NReferences
URL | Type |
---|---|
security.stackexchange.com http://security.stackexchange.com/questions/20406/is-http-compression-safe#20407 | MISC |
slashdot.org http://slashdot.org/story/13/08/05/233216 | MISC |
breachattack.com http://breachattack.com/ | MISC |
www.blackhat.com https://www.blackhat.com/us-13/briefings.html#Prado | MISC |
hackerone.com https://hackerone.com/reports/254895 | MISC |
www.iacr.org http://www.iacr.org/cryptodb/archive/2002/FSE/3091/3091.pdf | MISC |
www.kb.cert.org http://www.kb.cert.org/vuls/id/987798 | MISC |
bugzilla.redhat.com https://bugzilla.redhat.com/show_bug.cgi?id=995168 | MISC |
support.f5.com https://support.f5.com/csp/article/K14634 | MISC |
github.com http://github.com/meldium/breach-mitigation-rails | MISC |
www.djangoproject.com https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/ | MISC |
[httpd-dev] 20210409 GSOC project Idea- fix for CVE-2013-3587 https://lists.apache.org/thread.html/r7f0e9cfd166934172d43ca4c272b8bdda4a343036229d9937affd1e1@%3Cdev.httpd.apache.org%3E | MLIST |
GET https://vulnerabilitydata.com/api/details/CVE-2013-3587
{ "id": "CVE-2013-3587", "published_date": "2020-02-21T18:15Z", "last_modified_date": "2022-01-01T19:44Z", "assigner": "cert@cert.org", "description": "The HTTPS protocol, as used in unspecified web applications, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which makes it easier for man-in-the-middle attackers to obtain plaintext secret values by observing length differences during a series of guesses in which a string in an HTTP request URL potentially matches an unknown string in an HTTP response body, aka a \"BREACH\" attack, a different issue than CVE-2012-4929.", "references": [ { "url": "http://security.stackexchange.com/questions/20406/is-http-compression-safe#20407", "name": "http://security.stackexchange.com/questions/20406/is-http-compression-safe#20407", "refsource": "MISC", "tags": [ "Exploit", "Third Party Advisory" ] }, { "url": "http://slashdot.org/story/13/08/05/233216", "name": "http://slashdot.org/story/13/08/05/233216", "refsource": "MISC", "tags": [ "Third Party Advisory" ] }, { "url": "http://breachattack.com/", "name": "http://breachattack.com/", "refsource": "MISC", "tags": [ "Third Party Advisory" ] }, { "url": "https://www.blackhat.com/us-13/briefings.html#Prado", "name": "https://www.blackhat.com/us-13/briefings.html#Prado", "refsource": "MISC", "tags": [ "Third Party Advisory" ] }, { "url": "https://hackerone.com/reports/254895", "name": "https://hackerone.com/reports/254895", "refsource": "MISC", "tags": [ "Exploit", "Third Party Advisory" ] }, { "url": "http://www.iacr.org/cryptodb/archive/2002/FSE/3091/3091.pdf", "name": "http://www.iacr.org/cryptodb/archive/2002/FSE/3091/3091.pdf", "refsource": "MISC", "tags": [ "Third Party Advisory" ] }, { "url": "http://www.kb.cert.org/vuls/id/987798", "name": "http://www.kb.cert.org/vuls/id/987798", "refsource": "MISC", "tags": [ "Third Party Advisory", "US Government Resource" ] }, { "url": "https://bugzilla.redhat.com/show_bug.cgi?id=995168", "name": "https://bugzilla.redhat.com/show_bug.cgi?id=995168", "refsource": "MISC", "tags": [ "Issue Tracking", "Third Party Advisory" ] }, { "url": "https://support.f5.com/csp/article/K14634", "name": "https://support.f5.com/csp/article/K14634", "refsource": "MISC", "tags": [ "Third Party Advisory" ] }, { "url": "http://github.com/meldium/breach-mitigation-rails", "name": "http://github.com/meldium/breach-mitigation-rails", "refsource": "MISC", "tags": [ "Third Party Advisory" ] }, { "url": "https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/", "name": "https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/", "refsource": "MISC", "tags": [ "Third Party Advisory" ] }, { "url": "https://lists.apache.org/thread.html/r7f0e9cfd166934172d43ca4c272b8bdda4a343036229d9937affd1e1@%3Cdev.httpd.apache.org%3E", "name": "[httpd-dev] 20210409 GSOC project Idea- fix for CVE-2013-3587", "refsource": "MLIST", "tags": [ "Mailing List", "Third Party Advisory" ] } ], "impact": { "baseMetricV3": { "cvssV3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM" }, "exploitabilityScore": 2.2, "impactScore": 3.6 }, "baseMetricV2": { "cvssV2": { "version": "2.0", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "accessVector": "NETWORK", "accessComplexity": "MEDIUM", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3 }, "severity": "MEDIUM", "exploitabilityScore": 8.6, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false } }, "problem_type": "CWE-200" }