CVE-2013-3587
The HTTPS protocol, as used in unspecified web applications, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which makes it easier for man-in-the-middle attackers to obtain plaintext secret values by observing length differences during a series of guesses in which a string in an HTTP request URL potentially matches an unknown string in an HTTP response body, aka a "BREACH" attack, a different issue than CVE-2012-4929.
Published at
2020-02-21T18:15Z
1549 days ago
Modified
2022-01-01T19:44Z
869 days ago
CWE-200
Problem type
Impact
- CVSS v3 vector string
- CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Severity Score Vector
5.9CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NReferences
| URL | Type |
|---|---|
| security.stackexchange.com http://security.stackexchange.com/questions/20406/is-http-compression-safe#20407 | MISC |
| slashdot.org http://slashdot.org/story/13/08/05/233216 | MISC |
| breachattack.com http://breachattack.com/ | MISC |
| www.blackhat.com https://www.blackhat.com/us-13/briefings.html#Prado | MISC |
| hackerone.com https://hackerone.com/reports/254895 | MISC |
| www.iacr.org http://www.iacr.org/cryptodb/archive/2002/FSE/3091/3091.pdf | MISC |
| www.kb.cert.org http://www.kb.cert.org/vuls/id/987798 | MISC |
| bugzilla.redhat.com https://bugzilla.redhat.com/show_bug.cgi?id=995168 | MISC |
| support.f5.com https://support.f5.com/csp/article/K14634 | MISC |
| github.com http://github.com/meldium/breach-mitigation-rails | MISC |
| www.djangoproject.com https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/ | MISC |
| [httpd-dev] 20210409 GSOC project Idea- fix for CVE-2013-3587 https://lists.apache.org/thread.html/r7f0e9cfd166934172d43ca4c272b8bdda4a343036229d9937affd1e1@%3Cdev.httpd.apache.org%3E | MLIST |
GET https://vulnerabilitydata.com/api/details/CVE-2013-3587
{
"id": "CVE-2013-3587",
"published_date": "2020-02-21T18:15Z",
"last_modified_date": "2022-01-01T19:44Z",
"assigner": "cert@cert.org",
"description": "The HTTPS protocol, as used in unspecified web applications, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which makes it easier for man-in-the-middle attackers to obtain plaintext secret values by observing length differences during a series of guesses in which a string in an HTTP request URL potentially matches an unknown string in an HTTP response body, aka a \"BREACH\" attack, a different issue than CVE-2012-4929.",
"references": [
{
"url": "http://security.stackexchange.com/questions/20406/is-http-compression-safe#20407",
"name": "http://security.stackexchange.com/questions/20406/is-http-compression-safe#20407",
"refsource": "MISC",
"tags": [
"Exploit",
"Third Party Advisory"
]
},
{
"url": "http://slashdot.org/story/13/08/05/233216",
"name": "http://slashdot.org/story/13/08/05/233216",
"refsource": "MISC",
"tags": [
"Third Party Advisory"
]
},
{
"url": "http://breachattack.com/",
"name": "http://breachattack.com/",
"refsource": "MISC",
"tags": [
"Third Party Advisory"
]
},
{
"url": "https://www.blackhat.com/us-13/briefings.html#Prado",
"name": "https://www.blackhat.com/us-13/briefings.html#Prado",
"refsource": "MISC",
"tags": [
"Third Party Advisory"
]
},
{
"url": "https://hackerone.com/reports/254895",
"name": "https://hackerone.com/reports/254895",
"refsource": "MISC",
"tags": [
"Exploit",
"Third Party Advisory"
]
},
{
"url": "http://www.iacr.org/cryptodb/archive/2002/FSE/3091/3091.pdf",
"name": "http://www.iacr.org/cryptodb/archive/2002/FSE/3091/3091.pdf",
"refsource": "MISC",
"tags": [
"Third Party Advisory"
]
},
{
"url": "http://www.kb.cert.org/vuls/id/987798",
"name": "http://www.kb.cert.org/vuls/id/987798",
"refsource": "MISC",
"tags": [
"Third Party Advisory",
"US Government Resource"
]
},
{
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=995168",
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=995168",
"refsource": "MISC",
"tags": [
"Issue Tracking",
"Third Party Advisory"
]
},
{
"url": "https://support.f5.com/csp/article/K14634",
"name": "https://support.f5.com/csp/article/K14634",
"refsource": "MISC",
"tags": [
"Third Party Advisory"
]
},
{
"url": "http://github.com/meldium/breach-mitigation-rails",
"name": "http://github.com/meldium/breach-mitigation-rails",
"refsource": "MISC",
"tags": [
"Third Party Advisory"
]
},
{
"url": "https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/",
"name": "https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/",
"refsource": "MISC",
"tags": [
"Third Party Advisory"
]
},
{
"url": "https://lists.apache.org/thread.html/r7f0e9cfd166934172d43ca4c272b8bdda4a343036229d9937affd1e1@%3Cdev.httpd.apache.org%3E",
"name": "[httpd-dev] 20210409 GSOC project Idea- fix for CVE-2013-3587",
"refsource": "MLIST",
"tags": [
"Mailing List",
"Third Party Advisory"
]
}
],
"impact": {
"baseMetricV3": {
"cvssV3": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"attackVector": "NETWORK",
"attackComplexity": "HIGH",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6
},
"baseMetricV2": {
"cvssV2": {
"version": "2.0",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"accessVector": "NETWORK",
"accessComplexity": "MEDIUM",
"authentication": "NONE",
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3
},
"severity": "MEDIUM",
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"acInsufInfo": false,
"obtainAllPrivilege": false,
"obtainUserPrivilege": false,
"obtainOtherPrivilege": false,
"userInteractionRequired": false
}
},
"problem_type": "CWE-200"
}