CVE-2013-3587

MEDIUM

F5 BIG-IP - Exposure of Sensitive Information via BREACH Attack

Title source: llm
STIX 2.1

Description

The HTTPS protocol, as used in unspecified web applications, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which makes it easier for man-in-the-middle attackers to obtain plaintext secret values by observing length differences during a series of guesses in which a string in an HTTP request URL potentially matches an unknown string in an HTTP response body, aka a "BREACH" attack, a different issue than CVE-2012-4929.

References (12)

Core 12
Core References
Third Party Advisory x_refsource_misc
http://breachattack.com/
Third Party Advisory x_refsource_misc
http://slashdot.org/story/13/08/05/233216
Third Party Advisory x_refsource_misc
http://www.iacr.org/cryptodb/archive/2002/FSE/3091/3091.pdf
Third Party Advisory x_refsource_misc
https://www.blackhat.com/us-13/briefings.html#Prado
Third Party Advisory, US Government Resource x_refsource_misc
http://www.kb.cert.org/vuls/id/987798
Exploit, Third Party Advisory x_refsource_misc
https://hackerone.com/reports/254895
Issue Tracking, Third Party Advisory x_refsource_misc
https://bugzilla.redhat.com/show_bug.cgi?id=995168
Third Party Advisory x_refsource_misc
https://support.f5.com/csp/article/K14634

Scores

CVSS v3 5.9
EPSS 0.2814
EPSS Percentile 96.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-200
Status published
Products (23)
f5/arx 5.0.0 - 5.3.1
f5/big-ip_access_policy_manager 13.0.0
f5/big-ip_access_policy_manager 10.1.0 - 10.2.4
f5/big-ip_advanced_firewall_manager 13.0.0
f5/big-ip_advanced_firewall_manager 11.3.0 - 11.6.1
f5/big-ip_analytics 13.0.0
f5/big-ip_analytics 11.0.0 - 11.6.1
f5/big-ip_application_acceleration_manager 13.0.0
f5/big-ip_application_acceleration_manager 11.4.0 - 11.6.1
f5/big-ip_application_security_manager 13.0.0
... and 13 more
Published Feb 21, 2020
Tracked Since Feb 18, 2026