CVE-2013-3587

CWE-200 — Information Exposure7 documents6 sources

Severity

5.9MEDIUM

EPSS

28.1%

top 3.51%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

F5 ARX F5 Big-ip Access Policy Manager F5 Big-ip Advanced Firewall Manager +11 more

Timeline

PublishedFeb 21

Latest updateMay 5

Description

The HTTPS protocol, as used in unspecified web applications, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which makes it easier for man-in-the-middle attackers to obtain plaintext secret values by observing length differences during a series of guesses in which a string in an HTTP request URL potentially matches an unknown string in an HTTP response body, aka a "BREACH" attack, a different issue than CVE-2012-4929.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages15 packages

▶CVEListV5https_protocolall

▶NVDf5/big-ip_protocol_security_module9.4.5 — 9.4.8+2

▶NVDf5/big-ip_application_security_manager9.2.0 — 9.4.8+4

▶NVDf5/arx5.0.0 — 5.3.1+1

▶NVDf5/firepass6.0.0 — 6.1.0+1

🔴Vulnerability Details

GHSA

GHSA-hh3m-fgxm-fq25: The HTTPS protocol, as used in unspecified web applications, can encrypt compressed data without properly obfuscating the length of the unencrypted da↗2022-05-05

▶

CVEList

CVE-2013-3587: The HTTPS protocol, as used in unspecified web applications, can encrypt compressed data without properly obfuscating the length of the unencrypted da↗2020-02-21

▶

📋Vendor Advisories

Red Hat

BREACH attack against HTTP compression↗2013-08-02

▶

💬Community

HackerOne

SSL BREACH attack (CVE-2013-3587)↗2017-07-30

▶

HackerOne

Big Bug in SSL : breach compression attack (CVE-2013-3587) affect imgur.com↗2016-01-21

▶

Bugzilla

CVE-2013-3587 BREACH attack against HTTP compression↗2013-08-08

▶

External resources

NVD MITRE

Affected products14

F5 ARX≥ 5.0.0, ≤ 5.3.1≥ 6.0.0, ≤ 6.4.0

F5 Big-ip Access Policy Manager≥ 10.1.0, ≤ 10.2.4≥ 11.0.0, ≤ 11.6.1≥ 12.0.0, ≤ 12.1.2+1 more

F5 Big-ip Advanced Firewall Manager≥ 11.3.0, ≤ 11.6.1≥ 12.0.0, ≤ 12.1.2v13.0.0

F5 Big-ip Analytics≥ 11.0.0, ≤ 11.6.1≥ 12.0.0, ≤ 12.1.2v13.0.0

F5 Big-ip Application Acceleration Manager≥ 11.4.0, ≤ 11.6.1≥ 12.0.0, ≤ 12.1.2v13.0.0

F5 Big-ip Application Security Manager≥ 9.2.0, ≤ 9.4.8≥ 10.0.0, ≤ 10.2.4≥ 11.0.0, ≤ 11.6.1+2 more

F5 Big-ip Edge Gateway≥ 10.1.0, ≤ 10.2.4≥ 11.0.0, ≤ 11.3.0

F5 Big-ip Link Controller≥ 9.2.2, ≤ 9.4.8≥ 10.0.0, ≤ 10.2.4≥ 11.0.0, ≤ 11.6.1+2 more

F5 Big-ip Local Traffic Manager≥ 9.0.0, ≤ 9.6.1≥ 10.0.0, ≤ 10.2.4≥ 11.0.0, ≤ 11.6.1+2 more

F5 Big-ip Policy Enforcement Manager≥ 11.3.0, ≤ 11.6.1≥ 12.0.0, ≤ 12.1.2v13.0.0

Disclosure

PublishedFeb 21, 2020

Latest updateMay 5, 2022