Vulnerability Name:

CVE-2013-3587 (CCN-86071)

Assigned:2013-08-02
Published:2013-08-02
Updated:2022-01-01
Summary:The HTTPS protocol, as used in unspecified web applications, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which makes it easier for man-in-the-middle attackers to obtain plaintext secret values by observing length differences during a series of guesses in which a string in an HTTP request URL potentially matches an unknown string in an HTTP response body, aka a "BREACH" attack, a different issue than CVE-2012-4929.
CVSS v3 Severity:5.9 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
4.8 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N)
3.5 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N/E:U/RL:W/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
4.0 Medium (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:N)
3.3 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:N/E:U/RL:W/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-200
Vulnerability Consequences:Obtain Information
References:Source: MISC
Type: Third Party Advisory
http://breachattack.com/

Source: MITRE
Type: CNA
CVE-2013-3587

Source: MISC
Type: Third Party Advisory
http://github.com/meldium/breach-mitigation-rails

Source: MISC
Type: Exploit, Third Party Advisory
http://security.stackexchange.com/questions/20406/is-http-compression-safe#20407

Source: MISC
Type: Third Party Advisory
http://slashdot.org/story/13/08/05/233216

Source: MISC
Type: Third Party Advisory
http://www.iacr.org/cryptodb/archive/2002/FSE/3091/3091.pdf

Source: CCN
Type: IBM Security Bulletin 1997104 (Rational Collaborative Lifecycle Management)
Multiple vulnerabilities in IBM Jazz Team Server affect IBM Rational products based on IBM Jazz technology

Source: CCN
Type: US-CERT VU#987798
'BREACH' HTTPS vulnerability

Source: MISC
Type: Third Party Advisory, US Government Resource
http://www.kb.cert.org/vuls/id/987798

Source: MISC
Type: Issue Tracking, Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=995168

Source: XF
Type: UNKNOWN
https-cve20133587-breach(86071)

Source: MISC
Type: Exploit, Third Party Advisory
https://hackerone.com/reports/254895

Source: MLIST
Type: Mailing List, Third Party Advisory
[httpd-dev] 20210409 GSOC project Idea- fix for CVE-2013-3587

Source: MISC
Type: Third Party Advisory
https://support.f5.com/csp/article/K14634

Source: CCN
Type: blackhat.com
SSL, gone in 30 seconds - a BREACH beyond CRIME

Source: MISC
Type: Third Party Advisory
https://www.blackhat.com/us-13/briefings.html#Prado

Source: MISC
Type: Third Party Advisory
https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2013-3587

Vulnerable Configuration:Configuration 1:
  • cpe:/a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:* (Version >= 10.1.0 and <= 10.2.4)
  • OR cpe:/a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:* (Version >= 11.0.0 and <= 11.6.1)
  • OR cpe:/a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:* (Version >= 12.0.0 and <= 12.1.2)
  • OR cpe:/a:f5:big-ip_access_policy_manager:13.0.0:*:*:*:*:*:*:*

    • Configuration 2:
  • cpe:/a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:* (Version >= 11.3.0 and <= 11.6.1)
  • OR cpe:/a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:* (Version >= 12.0.0 and <= 12.1.2)
  • OR cpe:/a:f5:big-ip_advanced_firewall_manager:13.0.0:*:*:*:*:*:*:*

    • Configuration 3:
  • cpe:/a:f5:big-ip_analytics:*:*:*:*:*:*:*:* (Version >= 11.0.0 and <= 11.6.1)
  • OR cpe:/a:f5:big-ip_analytics:*:*:*:*:*:*:*:* (Version >= 12.0.0 and <= 12.1.2)
  • OR cpe:/a:f5:big-ip_analytics:13.0.0:*:*:*:*:*:*:*

    • Configuration 4:
  • cpe:/a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:* (Version >= 11.4.0 and <= 11.6.1)
  • OR cpe:/a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:* (Version >= 12.0.0 and <= 12.1.2)
  • OR cpe:/a:f5:big-ip_application_acceleration_manager:13.0.0:*:*:*:*:*:*:*

    • Configuration 5:
  • cpe:/a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:* (Version >= 9.2.0 and <= 9.4.8)
  • OR cpe:/a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:* (Version >= 10.0.0 and <= 10.2.4)
  • OR cpe:/a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:* (Version >= 11.0.0 and <= 11.6.1)
  • OR cpe:/a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:* (Version >= 12.0.0 and <= 12.1.2)
  • OR cpe:/a:f5:big-ip_application_security_manager:13.0.0:*:*:*:*:*:*:*

    • Configuration 6:
  • cpe:/a:f5:big-ip_edge_gateway:*:*:*:*:*:*:*:* (Version >= 10.1.0 and <= 10.2.4)
  • OR cpe:/a:f5:big-ip_edge_gateway:*:*:*:*:*:*:*:* (Version >= 11.0.0 and <= 11.3.0)

    • Configuration 7:
  • cpe:/a:f5:big-ip_link_controller:*:*:*:*:*:*:*:* (Version >= 9.2.2 and <= 9.4.8)
  • OR cpe:/a:f5:big-ip_link_controller:*:*:*:*:*:*:*:* (Version >= 10.0.0 and <= 10.2.4)
  • OR cpe:/a:f5:big-ip_link_controller:*:*:*:*:*:*:*:* (Version >= 11.0.0 and <= 11.6.1)
  • OR cpe:/a:f5:big-ip_link_controller:*:*:*:*:*:*:*:* (Version >= 12.0.0 and <= 12.1.2)
  • OR cpe:/a:f5:big-ip_link_controller:13.0.0:*:*:*:*:*:*:*

    • Configuration 8:
  • cpe:/a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:* (Version >= 9.0.0 and <= 9.6.1)
  • OR cpe:/a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:* (Version >= 10.0.0 and <= 10.2.4)
  • OR cpe:/a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:* (Version >= 11.0.0 and <= 11.6.1)
  • OR cpe:/a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:* (Version >= 12.0.0 and <= 12.1.2)
  • OR cpe:/a:f5:big-ip_local_traffic_manager:13.0.0:*:*:*:*:*:*:*

    • Configuration 9:
  • cpe:/a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:* (Version >= 11.3.0 and <= 11.6.1)
  • OR cpe:/a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:* (Version >= 12.0.0 and <= 12.1.2)
  • OR cpe:/a:f5:big-ip_policy_enforcement_manager:13.0.0:*:*:*:*:*:*:*

    • Configuration 10:
  • cpe:/a:f5:big-ip_protocol_security_module:*:*:*:*:*:*:*:* (Version >= 9.4.5 and <= 9.4.8)
  • OR cpe:/a:f5:big-ip_protocol_security_module:*:*:*:*:*:*:*:* (Version >= 10.0.0 and <= 10.2.4)
  • OR cpe:/a:f5:big-ip_protocol_security_module:*:*:*:*:*:*:*:* (Version >= 11.0.0 and <= 11.4.1)

    • Configuration 11:
  • cpe:/a:f5:big-ip_wan_optimization_manager:*:*:*:*:*:*:*:* (Version >= 10.0.0 and <= 10.2.4)
  • OR cpe:/a:f5:big-ip_wan_optimization_manager:*:*:*:*:*:*:*:* (Version >= 11.0.0 and <= 11.3.0)

    • Configuration 12:
  • cpe:/a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:* (Version >= 9.4.0 and <= 9.4.8)
  • OR cpe:/a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:* (Version >= 10.0.0 and <= 10.2.4)
  • OR cpe:/a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:* (Version >= 11.0.0 and <= 11.3.0)

    • Configuration 13:
  • cpe:/a:f5:firepass:*:*:*:*:*:*:*:* (Version >= 6.0.0 and <= 6.1.0)
  • OR cpe:/a:f5:firepass:7.0.0:*:*:*:*:*:*:*

    • Configuration 14:
  • cpe:/a:f5:arx:*:*:*:*:*:*:*:* (Version >= 5.0.0 and <= 5.3.1)
  • OR cpe:/a:f5:arx:*:*:*:*:*:*:*:* (Version >= 6.0.0 and <= 6.4.0)

    • Configuration CCN 1:
  • cpe:/a:ibm:rational_collaborative_lifecycle_management:4.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_collaborative_lifecycle_management:4.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_collaborative_lifecycle_management:4.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_collaborative_lifecycle_management:4.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_collaborative_lifecycle_management:4.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_collaborative_lifecycle_management:4.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_collaborative_lifecycle_management:4.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_collaborative_lifecycle_management:5.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_collaborative_lifecycle_management:4.0.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_collaborative_lifecycle_management:5.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_collaborative_lifecycle_management:5.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_collaborative_lifecycle_management:6.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_collaborative_lifecycle_management:6.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_collaborative_lifecycle_management:6.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_collaborative_lifecycle_management:6.0.3:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:com.ubuntu.precise:def:20133587000
    V
    		CVE-2013-3587 on Ubuntu 12.04 LTS (precise) - medium.
    2013-09-09
    BACK
    f5 big-ip access policy manager *
    f5 big-ip access policy manager *
    f5 big-ip access policy manager *
    f5 big-ip access policy manager 13.0.0
    f5 big-ip advanced firewall manager *
    f5 big-ip advanced firewall manager *
    f5 big-ip advanced firewall manager 13.0.0
    f5 big-ip analytics *
    f5 big-ip analytics *
    f5 big-ip analytics 13.0.0
    f5 big-ip application acceleration manager *
    f5 big-ip application acceleration manager *
    f5 big-ip application acceleration manager 13.0.0
    f5 big-ip application security manager *
    f5 big-ip application security manager *
    f5 big-ip application security manager *
    f5 big-ip application security manager *
    f5 big-ip application security manager 13.0.0
    f5 big-ip edge gateway *
    f5 big-ip edge gateway *
    f5 big-ip link controller *
    f5 big-ip link controller *
    f5 big-ip link controller *
    f5 big-ip link controller *
    f5 big-ip link controller 13.0.0
    f5 big-ip local traffic manager *
    f5 big-ip local traffic manager *
    f5 big-ip local traffic manager *
    f5 big-ip local traffic manager *
    f5 big-ip local traffic manager 13.0.0
    f5 big-ip policy enforcement manager *
    f5 big-ip policy enforcement manager *
    f5 big-ip policy enforcement manager 13.0.0
    f5 big-ip protocol security module *
    f5 big-ip protocol security module *
    f5 big-ip protocol security module *
    f5 big-ip wan optimization manager *
    f5 big-ip wan optimization manager *
    f5 big-ip webaccelerator *
    f5 big-ip webaccelerator *
    f5 big-ip webaccelerator *
    f5 firepass *
    f5 firepass 7.0.0
    f5 arx *
    f5 arx *
    ibm rational collaborative lifecycle management 4.0
    ibm rational collaborative lifecycle management 4.0.1
    ibm rational collaborative lifecycle management 4.0.2
    ibm rational collaborative lifecycle management 4.0.3
    ibm rational collaborative lifecycle management 4.0.4
    ibm rational collaborative lifecycle management 4.0.5
    ibm rational collaborative lifecycle management 4.0.6
    ibm rational collaborative lifecycle management 5.0
    ibm rational collaborative lifecycle management 4.0.7
    ibm rational collaborative lifecycle management 5.0.1
    ibm rational collaborative lifecycle management 5.0.2
    ibm rational collaborative lifecycle management 6.0
    ibm rational collaborative lifecycle management 6.0.1
    ibm rational collaborative lifecycle management 6.0.2
    ibm rational collaborative lifecycle management 6.0.3