QwikSec

Security Database

CVE

CWE

Training

CVE-2013-3587

Published: Feb 21, 2020

Modified: Aug 6, 2024

PUBLISHED

Description

The HTTPS protocol, as used in unspecified web applications, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which makes it easier for man-in-the-middle attackers to obtain plaintext secret values by observing length differences during a series of guesses in which a string in an HTTP request URL potentially matches an unknown string in an HTTP response body, aka a "BREACH" attack, a different issue than CVE-2012-4929.

Vendor	Product	Versions
n/a	HTTPS protocol	affected `all`

References

http://breachattack.com/

x_refsource_MISC

http://security.stackexchange.com/questions/20406/is-http-compression-safe#20407

x_refsource_MISC

http://slashdot.org/story/13/08/05/233216

x_refsource_MISC

http://www.iacr.org/cryptodb/archive/2002/FSE/3091/3091.pdf

x_refsource_MISC

https://www.blackhat.com/us-13/briefings.html#Prado

x_refsource_MISC

http://github.com/meldium/breach-mitigation-rails

x_refsource_MISC

https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/

x_refsource_MISC

http://www.kb.cert.org/vuls/id/987798

x_refsource_MISC

https://hackerone.com/reports/254895

x_refsource_MISC

https://bugzilla.redhat.com/show_bug.cgi?id=995168

x_refsource_MISC

https://support.f5.com/csp/article/K14634

x_refsource_MISC

[httpd-dev] 20210409 GSOC project Idea- fix for CVE-2013-3587

mailing-list

x_refsource_MLIST

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.