CVE-2013-3587

medium

Description

The HTTPS protocol, as used in unspecified web applications, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which makes it easier for man-in-the-middle attackers to obtain plaintext secret values by observing length differences during a series of guesses in which a string in an HTTP request URL potentially matches an unknown string in an HTTP response body, aka a "BREACH" attack, a different issue than CVE-2012-4929.

References

https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/

https://www.blackhat.com/us-13/briefings.html#Prado

https://support.f5.com/csp/article/K14634

https://lists.apache.org/thread.html/r7f0e9cfd166934172d43ca4c272b8bdda4a343036229d9937affd1e1%40%3Cdev.httpd.apache.org%3E

https://bugzilla.redhat.com/show_bug.cgi?id=995168

http://www.kb.cert.org/vuls/id/987798

http://www.iacr.org/cryptodb/archive/2002/FSE/3091/3091.pdf

http://slashdot.org/story/13/08/05/233216

http://github.com/meldium/breach-mitigation-rails

http://breachattack.com/

Details

Source: Mitre, NVD

Published: 2020-02-21

Updated: 2023-11-07

Risk Information

CVSS v2

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 5.9

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Severity: Medium