CVE-2013-3587

Published on: 02/21/2020 12:00:00 AM UTC

Last Modified on: 01/01/2022 07:44:00 PM UTC

CVE-2013-3587

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Certain versions of Arx from F5 contain the following vulnerability:

The HTTPS protocol, as used in unspecified web applications, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which makes it easier for man-in-the-middle attackers to obtain plaintext secret values by observing length differences during a series of guesses in which a string in an HTTP request URL potentially matches an unknown string in an HTTP response body, aka a "BREACH" attack, a different issue than CVE-2012-4929.

CVE-2013-3587 has been assigned by [email protected] to track the vulnerability - currently rated as MEDIUM severity.

CVSS3 Score: 5.9 - MEDIUM

Attack Vector ^ⓘ	Attack Complexity	Privileges Required	User Interaction
NETWORK	HIGH	NONE	NONE
Scope	Confidentiality Impact	Integrity Impact	Availability Impact
UNCHANGED	HIGH	NONE	NONE

CVSS2 Score: 4.3 - MEDIUM

Access Vector^ⓘ	Access Complexity	Authentication
NETWORK	MEDIUM	NONE
Confidentiality Impact	Integrity Impact	Availability Impact
PARTIAL	NONE	NONE

CVE References

Description	Tags ^ⓘ	Link
	Third Party Advisory www.iacr.org application/pdf	MISC www.iacr.org/cryptodb/archive/2002/FSE/3091/3091.pdf
BREACH Compression Attack Steals SSL Secrets - Slashdot	Third Party Advisory slashdot.org text/html	MISC slashdot.org/story/13/08/05/233216
995168 – (BREACH, CVE-2013-3587) CVE-2013-3587 BREACH attack against HTTP compression	Issue Tracking Third Party Advisory bugzilla.redhat.com text/html	MISC bugzilla.redhat.com/show_bug.cgi?id=995168
#254895 SSL : breach compression attack (CVE-2013-3587) effects legalrobot.com - HackerOne	Exploit Third Party Advisory hackerone.com text/html	MISC hackerone.com/reports/254895
BREACH	Third Party Advisory breachattack.com text/html	MISC breachattack.com/
Black Hat USA 2013 \| Briefings	Third Party Advisory www.blackhat.com text/html	MISC www.blackhat.com/us-13/briefings.html#Prado
Security advisory: BREACH and Django \| Weblog \| Django	Third Party Advisory www.djangoproject.com text/html	MISC www.djangoproject.com/weblog/2013/aug/06/breach-and-django/
Vulnerability Note VU#987798 - BREACH vulnerability in compressed HTTPS	Third Party Advisory US Government Resource www.kb.cert.org text/html	MISC www.kb.cert.org/vuls/id/987798
GitHub - meldium/breach-mitigation-rails: Make Rails apps more resilient against the BREACH and CRIME attacks	Third Party Advisory github.com text/html	MISC github.com/meldium/breach-mitigation-rails
Pony Mail!	lists.apache.org text/html	MLIST [httpd-dev] 20210409 GSOC project Idea- fix for CVE-2013-3587
No Description Provided	Third Party Advisory support.f5.com text/html	MISC support.f5.com/csp/article/K14634
cryptography - Is HTTP compression safe? - IT Security Stack Exchange	Exploit Third Party Advisory security.stackexchange.com text/html	MISC security.stackexchange.com/questions/20406/is-http-compression-safe#20407

By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].

There are currently no QIDs associated with this CVE

Known Affected Configurations (CPE V2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	F5	Arx	All	All	All	All
Application	F5	Arx	All	All	All	All
Application	F5	Big-ip Access Policy Manager	13.0.0	All	All	All
Application	F5	Big-ip Access Policy Manager	13.0.0	All	All	All
Application	F5	Big-ip Access Policy Manager	All	All	All	All
Application	F5	Big-ip Access Policy Manager	All	All	All	All
Application	F5	Big-ip Access Policy Manager	All	All	All	All
Application	F5	Big-ip Advanced Firewall Manager	13.0.0	All	All	All
Application	F5	Big-ip Advanced Firewall Manager	13.0.0	All	All	All
Application	F5	Big-ip Advanced Firewall Manager	All	All	All	All
Application	F5	Big-ip Advanced Firewall Manager	All	All	All	All
Application	F5	Big-ip Analytics	13.0.0	All	All	All
Application	F5	Big-ip Analytics	13.0.0	All	All	All
Application	F5	Big-ip Analytics	All	All	All	All
Application	F5	Big-ip Analytics	All	All	All	All
Application	F5	Big-ip Application Acceleration Manager	13.0.0	All	All	All
Application	F5	Big-ip Application Acceleration Manager	13.0.0	All	All	All
Application	F5	Big-ip Application Acceleration Manager	All	All	All	All
Application	F5	Big-ip Application Acceleration Manager	All	All	All	All
Application	F5	Big-ip Application Security Manager	13.0.0	All	All	All
Application	F5	Big-ip Application Security Manager	13.0.0	All	All	All
Application	F5	Big-ip Application Security Manager	All	All	All	All
Application	F5	Big-ip Application Security Manager	All	All	All	All
Application	F5	Big-ip Application Security Manager	All	All	All	All
Application	F5	Big-ip Application Security Manager	All	All	All	All
Application	F5	Big-ip Edge Gateway	All	All	All	All
Application	F5	Big-ip Edge Gateway	All	All	All	All
Application	F5	Big-ip Link Controller	13.0.0	All	All	All
Application	F5	Big-ip Link Controller	13.0.0	All	All	All
Application	F5	Big-ip Link Controller	All	All	All	All
Application	F5	Big-ip Link Controller	All	All	All	All
Application	F5	Big-ip Link Controller	All	All	All	All
Application	F5	Big-ip Link Controller	All	All	All	All
Application	F5	Big-ip Local Traffic Manager	13.0.0	All	All	All
Application	F5	Big-ip Local Traffic Manager	13.0.0	All	All	All
Application	F5	Big-ip Local Traffic Manager	All	All	All	All
Application	F5	Big-ip Local Traffic Manager	All	All	All	All
Application	F5	Big-ip Local Traffic Manager	All	All	All	All
Application	F5	Big-ip Local Traffic Manager	All	All	All	All
Application	F5	Big-ip Policy Enforcement Manager	13.0.0	All	All	All
Application	F5	Big-ip Policy Enforcement Manager	13.0.0	All	All	All
Application	F5	Big-ip Policy Enforcement Manager	All	All	All	All
Application	F5	Big-ip Policy Enforcement Manager	All	All	All	All
Application	F5	Big-ip Protocol Security Module	All	All	All	All
Application	F5	Big-ip Protocol Security Module	All	All	All	All
Application	F5	Big-ip Protocol Security Module	All	All	All	All
Application	F5	Big-ip Wan Optimization Manager	All	All	All	All
Application	F5	Big-ip Wan Optimization Manager	All	All	All	All
Application	F5	Big-ip Webaccelerator	All	All	All	All
Application	F5	Big-ip Webaccelerator	All	All	All	All
Application	F5	Big-ip Webaccelerator	All	All	All	All
Application	F5	Firepass	7.0.0	All	All	All
Application	F5	Firepass	7.0.0	All	All	All
Application	F5	Firepass	All	All	All	All

cpe:2.3:a:f5:arx:*:*:*:*:*:*:*:*:
cpe:2.3:a:f5:arx:*:*:*:*:*:*:*:*:
cpe:2.3:a:f5:big-ip_access_policy_manager:13.0.0:*:*:*:*:*:*:*:
cpe:2.3:a:f5:big-ip_access_policy_manager:13.0.0:*:*:*:*:*:*:*:
cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*:
cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*:
cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*:
cpe:2.3:a:f5:big-ip_advanced_firewall_manager:13.0.0:*:*:*:*:*:*:*:
cpe:2.3:a:f5:big-ip_advanced_firewall_manager:13.0.0:*:*:*:*:*:*:*:
cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*:
cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*:
cpe:2.3:a:f5:big-ip_analytics:13.0.0:*:*:*:*:*:*:*:
cpe:2.3:a:f5:big-ip_analytics:13.0.0:*:*:*:*:*:*:*:
cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*:
cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*:
cpe:2.3:a:f5:big-ip_application_acceleration_manager:13.0.0:*:*:*:*:*:*:*:
cpe:2.3:a:f5:big-ip_application_acceleration_manager:13.0.0:*:*:*:*:*:*:*:
cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*:
cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*:
cpe:2.3:a:f5:big-ip_application_security_manager:13.0.0:*:*:*:*:*:*:*:
cpe:2.3:a:f5:big-ip_application_security_manager:13.0.0:*:*:*:*:*:*:*:
cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*:
cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*:
cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*:
cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*:
cpe:2.3:a:f5:big-ip_edge_gateway:*:*:*:*:*:*:*:*:
cpe:2.3:a:f5:big-ip_edge_gateway:*:*:*:*:*:*:*:*:
cpe:2.3:a:f5:big-ip_link_controller:13.0.0:*:*:*:*:*:*:*:
cpe:2.3:a:f5:big-ip_link_controller:13.0.0:*:*:*:*:*:*:*:
cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*:
cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*:
cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*:
cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*:
cpe:2.3:a:f5:big-ip_local_traffic_manager:13.0.0:*:*:*:*:*:*:*:
cpe:2.3:a:f5:big-ip_local_traffic_manager:13.0.0:*:*:*:*:*:*:*:
cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*:
cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*:
cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*:
cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*:
cpe:2.3:a:f5:big-ip_policy_enforcement_manager:13.0.0:*:*:*:*:*:*:*:
cpe:2.3:a:f5:big-ip_policy_enforcement_manager:13.0.0:*:*:*:*:*:*:*:
cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*:
cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*:
cpe:2.3:a:f5:big-ip_protocol_security_module:*:*:*:*:*:*:*:*:
cpe:2.3:a:f5:big-ip_protocol_security_module:*:*:*:*:*:*:*:*:
cpe:2.3:a:f5:big-ip_protocol_security_module:*:*:*:*:*:*:*:*:
cpe:2.3:a:f5:big-ip_wan_optimization_manager:*:*:*:*:*:*:*:*:
cpe:2.3:a:f5:big-ip_wan_optimization_manager:*:*:*:*:*:*:*:*:
cpe:2.3:a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:*:
cpe:2.3:a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:*:
cpe:2.3:a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:*:
cpe:2.3:a:f5:firepass:7.0.0:*:*:*:*:*:*:*:
cpe:2.3:a:f5:firepass:7.0.0:*:*:*:*:*:*:*:
cpe:2.3:a:f5:firepass:*:*:*:*:*:*:*:*:

No vendor comments have been submitted for this CVE