CVE-2013-3587
high-risk
Published 2020-02-21
The HTTPS protocol, as used in unspecified web applications, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which makes it easier for man-in-the-middle attackers to obtain plaintext secret values by observing length differences during a series of guesses in which a string in an HTTP request URL potentially matches an unknown string in an HTTP response body, aka a "BREACH" attack, a different issue than CVE-2012-4929.
Do I need to act?
!
28.1% chance of exploitation in next 30 days
EPSS score — higher than 72% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.9/10
Medium
NETWORK
/ HIGH complexity
Affected Products (20)
Affected Vendors
References (24)
Third Party Advisory
http://breachattack.com/
Third Party Advisory
http://github.com/meldium/breach-mitigation-rails
Third Party Advisory
http://slashdot.org/story/13/08/05/233216
Third Party Advisory
http://www.iacr.org/cryptodb/archive/2002/FSE/3091/3091.pdf
Third Party Advisory
http://www.kb.cert.org/vuls/id/987798
Issue Tracking
https://bugzilla.redhat.com/show_bug.cgi?id=995168
Third Party Advisory
https://support.f5.com/csp/article/K14634
Third Party Advisory
https://www.blackhat.com/us-13/briefings.html#Prado
Third Party Advisory
https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/
Third Party Advisory
http://breachattack.com/
Third Party Advisory
http://github.com/meldium/breach-mitigation-rails
Third Party Advisory
http://slashdot.org/story/13/08/05/233216
Third Party Advisory
http://www.iacr.org/cryptodb/archive/2002/FSE/3091/3091.pdf
Third Party Advisory
http://www.kb.cert.org/vuls/id/987798
Issue Tracking
https://bugzilla.redhat.com/show_bug.cgi?id=995168
and 4 more references
54
/ 100
high-risk
Severity
18/34 · Moderate
Exploitability
15/34 · Moderate
Exposure
21/34 · High