CVE-2013-3587
N/A
N/A
Summary
The HTTPS protocol, as used in unspecified web applications, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which makes it easier for man-in-the-middle attackers to obtain plaintext secret values by observing length differences during a series of guesses in which a string in an HTTP request URL potentially matches an unknown string in an HTTP response body, aka a "BREACH" attack, a different issue than CVE-2012-4929.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| n/a | HTTPS protocol | all | affected |
Weaknesses
- Other
ADP Enrichment
CVE Program Container
Additional References
- http://breachattack.com/
- http://security.stackexchange.com/questions/20406/is-http-compression-safe#20407
- http://slashdot.org/story/13/08/05/233216
- http://www.iacr.org/cryptodb/archive/2002/FSE/3091/3091.pdf
- https://www.blackhat.com/us-13/briefings.html#Prado
- http://github.com/meldium/breach-mitigation-rails
- https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/
- http://www.kb.cert.org/vuls/id/987798
- https://hackerone.com/reports/254895
- https://bugzilla.redhat.com/show_bug.cgi?id=995168
- https://support.f5.com/csp/article/K14634
- https://lists.apache.org/thread.html/r7f0e9cfd166934172d43ca4c272b8bdda4a343036229d9937affd1e1%40%3Cdev.httpd.apache.org%3E
References
- http://breachattack.com/
- http://security.stackexchange.com/questions/20406/is-http-compression-safe#20407
- http://slashdot.org/story/13/08/05/233216
- http://www.iacr.org/cryptodb/archive/2002/FSE/3091/3091.pdf
- https://www.blackhat.com/us-13/briefings.html#Prado
- http://github.com/meldium/breach-mitigation-rails
- https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/
- http://www.kb.cert.org/vuls/id/987798
- https://hackerone.com/reports/254895
- https://bugzilla.redhat.com/show_bug.cgi?id=995168
- https://support.f5.com/csp/article/K14634
- https://lists.apache.org/thread.html/r7f0e9cfd166934172d43ca4c272b8bdda4a343036229d9937affd1e1%40%3Cdev.httpd.apache.org%3E
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.