CVE-2013-3587
The HTTPS protocol, as used in unspecified web applications, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which makes it easier for man-in-the-middle attackers to obtain plaintext secret values by observing length differences during a series of guesses in which a string in an HTTP request URL potentially matches an unknown string in an HTTP response body, aka a "BREACH" attack, a different issue than CVE-2012-4929.
- Published date
- 2020-02-21T18:15Z
- Last modification date
- 2022-01-01T19:44Z
- Assigner
- cert@cert.org
- Problem type
- CWE-200
Impact
- CVSS v3 vector string
- CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
| Name | URL | Source | Tags |
|---|---|---|---|
| http://security.stackexchange.com/questions/20406/is-http-compression-safe#20407 | http://security.stackexchange.com/questions/20406/is-http-compression-safe#20407 | MISC | Exploit, Third Party Advisory |
| http://slashdot.org/story/13/08/05/233216 | http://slashdot.org/story/13/08/05/233216 | MISC | Third Party Advisory |
| http://breachattack.com/ | http://breachattack.com/ | MISC | Third Party Advisory |
| https://www.blackhat.com/us-13/briefings.html#Prado | https://www.blackhat.com/us-13/briefings.html#Prado | MISC | Third Party Advisory |
| https://hackerone.com/reports/254895 | https://hackerone.com/reports/254895 | MISC | Exploit, Third Party Advisory |
| http://www.iacr.org/cryptodb/archive/2002/FSE/3091/3091.pdf | http://www.iacr.org/cryptodb/archive/2002/FSE/3091/3091.pdf | MISC | Third Party Advisory |
| http://www.kb.cert.org/vuls/id/987798 | http://www.kb.cert.org/vuls/id/987798 | MISC | Third Party Advisory, US Government Resource |
| https://bugzilla.redhat.com/show_bug.cgi?id=995168 | https://bugzilla.redhat.com/show_bug.cgi?id=995168 | MISC | Issue Tracking, Third Party Advisory |
| https://support.f5.com/csp/article/K14634 | https://support.f5.com/csp/article/K14634 | MISC | Third Party Advisory |
| http://github.com/meldium/breach-mitigation-rails | http://github.com/meldium/breach-mitigation-rails | MISC | Third Party Advisory |
| https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/ | https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/ | MISC | Third Party Advisory |
| [httpd-dev] 20210409 GSOC project Idea- fix for CVE-2013-3587 | https://lists.apache.org/thread.html/r7f0e9cfd166934172d43ca4c272b8bdda4a343036229d9937affd1e1@%3Cdev.httpd.apache.org%3E | MLIST | Mailing List, Third Party Advisory |