cve-2013-3587
Vulnerability from cvelistv5
Published
2020-02-21 17:11
Modified
2024-08-06 16:14
Severity ?
Summary
The HTTPS protocol, as used in unspecified web applications, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which makes it easier for man-in-the-middle attackers to obtain plaintext secret values by observing length differences during a series of guesses in which a string in an HTTP request URL potentially matches an unknown string in an HTTP response body, aka a "BREACH" attack, a different issue than CVE-2012-4929.
References
cret@cert.orghttp://breachattack.com/Third Party Advisory
cret@cert.orghttp://github.com/meldium/breach-mitigation-railsThird Party Advisory
cret@cert.orghttp://security.stackexchange.com/questions/20406/is-http-compression-safe#20407Exploit, Third Party Advisory
cret@cert.orghttp://slashdot.org/story/13/08/05/233216Third Party Advisory
cret@cert.orghttp://www.iacr.org/cryptodb/archive/2002/FSE/3091/3091.pdfThird Party Advisory
cret@cert.orghttp://www.kb.cert.org/vuls/id/987798Third Party Advisory, US Government Resource
cret@cert.orghttps://bugzilla.redhat.com/show_bug.cgi?id=995168Issue Tracking, Third Party Advisory
cret@cert.orghttps://hackerone.com/reports/254895Exploit, Third Party Advisory
cret@cert.orghttps://lists.apache.org/thread.html/r7f0e9cfd166934172d43ca4c272b8bdda4a343036229d9937affd1e1%40%3Cdev.httpd.apache.org%3E
cret@cert.orghttps://support.f5.com/csp/article/K14634Third Party Advisory
cret@cert.orghttps://www.blackhat.com/us-13/briefings.html#PradoThird Party Advisory
cret@cert.orghttps://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108http://breachattack.com/Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108http://github.com/meldium/breach-mitigation-railsThird Party Advisory
af854a3a-2127-422b-91ae-364da2661108http://security.stackexchange.com/questions/20406/is-http-compression-safe#20407Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108http://slashdot.org/story/13/08/05/233216Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108http://www.iacr.org/cryptodb/archive/2002/FSE/3091/3091.pdfThird Party Advisory
af854a3a-2127-422b-91ae-364da2661108http://www.kb.cert.org/vuls/id/987798Third Party Advisory, US Government Resource
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/show_bug.cgi?id=995168Issue Tracking, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://hackerone.com/reports/254895Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://lists.apache.org/thread.html/r7f0e9cfd166934172d43ca4c272b8bdda4a343036229d9937affd1e1%40%3Cdev.httpd.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108https://support.f5.com/csp/article/K14634Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.blackhat.com/us-13/briefings.html#PradoThird Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/Third Party Advisory
Impacted products
Vendor Product Version
n/a HTTPS protocol Version: all
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T16:14:56.365Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://breachattack.com/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://security.stackexchange.com/questions/20406/is-http-compression-safe#20407"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://slashdot.org/story/13/08/05/233216"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://www.iacr.org/cryptodb/archive/2002/FSE/3091/3091.pdf"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.blackhat.com/us-13/briefings.html#Prado"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://github.com/meldium/breach-mitigation-rails"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://www.kb.cert.org/vuls/id/987798"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://hackerone.com/reports/254895"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=995168"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://support.f5.com/csp/article/K14634"
          },
          {
            "name": "[httpd-dev] 20210409 GSOC project Idea- fix for CVE-2013-3587",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r7f0e9cfd166934172d43ca4c272b8bdda4a343036229d9937affd1e1%40%3Cdev.httpd.apache.org%3E"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "HTTPS protocol",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        }
      ],
      "datePublic": "2012-09-20T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The HTTPS protocol, as used in unspecified web applications, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which makes it easier for man-in-the-middle attackers to obtain plaintext secret values by observing length differences during a series of guesses in which a string in an HTTP request URL potentially matches an unknown string in an HTTP response body, aka a \"BREACH\" attack, a different issue than CVE-2012-4929."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Other",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-04-10T00:06:26",
        "orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
        "shortName": "certcc"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://breachattack.com/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://security.stackexchange.com/questions/20406/is-http-compression-safe#20407"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://slashdot.org/story/13/08/05/233216"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://www.iacr.org/cryptodb/archive/2002/FSE/3091/3091.pdf"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.blackhat.com/us-13/briefings.html#Prado"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://github.com/meldium/breach-mitigation-rails"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://www.kb.cert.org/vuls/id/987798"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://hackerone.com/reports/254895"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=995168"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://support.f5.com/csp/article/K14634"
        },
        {
          "name": "[httpd-dev] 20210409 GSOC project Idea- fix for CVE-2013-3587",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r7f0e9cfd166934172d43ca4c272b8bdda4a343036229d9937affd1e1%40%3Cdev.httpd.apache.org%3E"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cert@cert.org",
          "ID": "CVE-2013-3587",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "HTTPS protocol",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "all"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The HTTPS protocol, as used in unspecified web applications, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which makes it easier for man-in-the-middle attackers to obtain plaintext secret values by observing length differences during a series of guesses in which a string in an HTTP request URL potentially matches an unknown string in an HTTP response body, aka a \"BREACH\" attack, a different issue than CVE-2012-4929."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Other"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://breachattack.com/",
              "refsource": "MISC",
              "url": "http://breachattack.com/"
            },
            {
              "name": "http://security.stackexchange.com/questions/20406/is-http-compression-safe#20407",
              "refsource": "MISC",
              "url": "http://security.stackexchange.com/questions/20406/is-http-compression-safe#20407"
            },
            {
              "name": "http://slashdot.org/story/13/08/05/233216",
              "refsource": "MISC",
              "url": "http://slashdot.org/story/13/08/05/233216"
            },
            {
              "name": "http://www.iacr.org/cryptodb/archive/2002/FSE/3091/3091.pdf",
              "refsource": "MISC",
              "url": "http://www.iacr.org/cryptodb/archive/2002/FSE/3091/3091.pdf"
            },
            {
              "name": "https://www.blackhat.com/us-13/briefings.html#Prado",
              "refsource": "MISC",
              "url": "https://www.blackhat.com/us-13/briefings.html#Prado"
            },
            {
              "name": "http://github.com/meldium/breach-mitigation-rails",
              "refsource": "MISC",
              "url": "http://github.com/meldium/breach-mitigation-rails"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/",
              "refsource": "MISC",
              "url": "https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/"
            },
            {
              "name": "http://www.kb.cert.org/vuls/id/987798",
              "refsource": "MISC",
              "url": "http://www.kb.cert.org/vuls/id/987798"
            },
            {
              "name": "https://hackerone.com/reports/254895",
              "refsource": "MISC",
              "url": "https://hackerone.com/reports/254895"
            },
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=995168",
              "refsource": "MISC",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=995168"
            },
            {
              "name": "https://support.f5.com/csp/article/K14634",
              "refsource": "MISC",
              "url": "https://support.f5.com/csp/article/K14634"
            },
            {
              "name": "[httpd-dev] 20210409 GSOC project Idea- fix for CVE-2013-3587",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r7f0e9cfd166934172d43ca4c272b8bdda4a343036229d9937affd1e1@%3Cdev.httpd.apache.org%3E"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
    "assignerShortName": "certcc",
    "cveId": "CVE-2013-3587",
    "datePublished": "2020-02-21T17:11:47",
    "dateReserved": "2013-05-21T00:00:00",
    "dateUpdated": "2024-08-06T16:14:56.365Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2013-3587\",\"sourceIdentifier\":\"cret@cert.org\",\"published\":\"2020-02-21T18:15:11.427\",\"lastModified\":\"2024-11-21T01:53:56.283\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The HTTPS protocol, as used in unspecified web applications, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which makes it easier for man-in-the-middle attackers to obtain plaintext secret values by observing length differences during a series of guesses in which a string in an HTTP request URL potentially matches an unknown string in an HTTP response body, aka a \\\"BREACH\\\" attack, a different issue than CVE-2012-4929.\"},{\"lang\":\"es\",\"value\":\"El protocolo HTTPS, como es usado en aplicaciones web no especificadas, puede cifrar datos comprimidos sin ofuscar apropiadamente la longitud de los datos no cifrados, facilitando a atacantes de tipo \\\"man-in-the-middle\\\" obtener valores secretos en texto plano al observar las diferencias de longitud durante una serie de adivinaciones en las que una cadena en una URL de peticiones HTTP coincide potencialmente con una cadena desconocida en un cuerpo de respuesta HTTP, tambi\u00e9n se conoce como ataque \\\"BREACH\\\", un problema diferente de CVE-2012-4929.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":5.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:P/I:N/A:N\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"10.1.0\",\"versionEndIncluding\":\"10.2.4\",\"matchCriteriaId\":\"79618AB4-7A8E-4488-8608-57EC2F8681FE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"11.0.0\",\"versionEndIncluding\":\"11.6.1\",\"matchCriteriaId\":\"57AB5137-9797-4BA3-8725-40494DA8FFB2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"12.0.0\",\"versionEndIncluding\":\"12.1.2\",\"matchCriteriaId\":\"0ACC0695-E62E-4748-AA8A-46772EB8C83C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_access_policy_manager:13.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"BCF89E7C-806E-4800-BAA9-0225433B6C56\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"11.3.0\",\"versionEndIncluding\":\"11.6.1\",\"matchCriteriaId\":\"59217FC1-AFB3-479F-A369-9C7FB3DD29F0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"12.0.0\",\"versionEndIncluding\":\"12.1.2\",\"matchCriteriaId\":\"93212B86-21EA-4340-9149-E58F65285C15\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_advanced_firewall_manager:13.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8C4E5F36-434B-48E1-9715-4EEC22FB23D1\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"11.0.0\",\"versionEndIncluding\":\"11.6.1\",\"matchCriteriaId\":\"0FCA781F-8728-4ECB-85D1-1E0AE4EEFC2B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"12.0.0\",\"versionEndIncluding\":\"12.1.2\",\"matchCriteriaId\":\"25944BCA-3EEB-4396-AC8F-EF58834BC47E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_analytics:13.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"34D75E7F-B65F-421D-92EE-6B20756019C2\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"11.4.0\",\"versionEndIncluding\":\"11.6.1\",\"matchCriteriaId\":\"70FB5FD7-4B96-438C-AAD3-D2E128DAA8BF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"12.0.0\",\"versionEndIncluding\":\"12.1.2\",\"matchCriteriaId\":\"39E45CF5-C9E4-4AB9-A6D5-66F8336DDB79\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_application_acceleration_manager:13.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3D75D5AD-C20A-4D94-84E0-E695C9D2A26D\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"9.2.0\",\"versionEndIncluding\":\"9.4.8\",\"matchCriteriaId\":\"6034A531-6A0E-4086-A76F-91C3F62C7994\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"10.0.0\",\"versionEndIncluding\":\"10.2.4\",\"matchCriteriaId\":\"667D3780-3949-41AC-83DE-5BCB8B36C382\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"11.0.0\",\"versionEndIncluding\":\"11.6.1\",\"matchCriteriaId\":\"FDDD9D77-12B6-40F4-B819-2515D357A91A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"12.0.0\",\"versionEndIncluding\":\"12.1.2\",\"matchCriteriaId\":\"7CB146EF-CCAB-4194-9735-F8909E283308\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_application_security_manager:13.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7569977A-E567-4115-B00C-4B0CBA86582E\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_edge_gateway:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"10.1.0\",\"versionEndIncluding\":\"10.2.4\",\"matchCriteriaId\":\"A8347412-DC42-4B86-BF6E-A44A5E1541ED\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_edge_gateway:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"11.0.0\",\"versionEndIncluding\":\"11.3.0\",\"matchCriteriaId\":\"C8942D9D-8E3A-4876-8E93-ED8D201FF546\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"9.2.2\",\"versionEndIncluding\":\"9.4.8\",\"matchCriteriaId\":\"E27C5743-4F94-4A1C-AD8C-25D29B65BF95\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"10.0.0\",\"versionEndIncluding\":\"10.2.4\",\"matchCriteriaId\":\"1DF6BB8A-FA63-4DBC-891C-256FF23CBCF0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"11.0.0\",\"versionEndIncluding\":\"11.6.1\",\"matchCriteriaId\":\"1D413BDC-8B60-494A-A218-75EAF09D1495\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"12.0.0\",\"versionEndIncluding\":\"12.1.2\",\"matchCriteriaId\":\"C4A5CD9B-D257-4EC9-8C57-D9552C2FFFFC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_link_controller:13.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E2C4414E-8016-48B5-8CC3-F97FF2D85922\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"9.0.0\",\"versionEndIncluding\":\"9.6.1\",\"matchCriteriaId\":\"5F293F06-4601-4074-A695-2C229CF8D126\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"10.0.0\",\"versionEndIncluding\":\"10.2.4\",\"matchCriteriaId\":\"289CEABB-22A2-436D-AE4B-4BDA2D0EAFDB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"11.0.0\",\"versionEndIncluding\":\"11.6.1\",\"matchCriteriaId\":\"439927F5-ECDA-4DD8-BA75-97E55C9E584F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"12.0.0\",\"versionEndIncluding\":\"12.1.2\",\"matchCriteriaId\":\"C1F5FF67-5D17-4760-AFDC-4234EC1E6306\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_local_traffic_manager:13.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"BA7D64DC-7271-4617-BD46-99C8246779CA\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"11.3.0\",\"versionEndIncluding\":\"11.6.1\",\"matchCriteriaId\":\"632BD15C-04E6-4FD9-9410-6DE9E48F926A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"12.0.0\",\"versionEndIncluding\":\"12.1.2\",\"matchCriteriaId\":\"BDE77CCE-7F97-48EA-A9D3-090B1481616F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_policy_enforcement_manager:13.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"42821916-E601-4831-B37B-3202ACF2C562\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_protocol_security_module:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"9.4.5\",\"versionEndIncluding\":\"9.4.8\",\"matchCriteriaId\":\"5522F58E-C4EA-40B4-8F44-3E95315D37EA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_protocol_security_module:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"10.0.0\",\"versionEndIncluding\":\"10.2.4\",\"matchCriteriaId\":\"2C0B4C01-C71E-4E35-B63A-68395984E033\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_protocol_security_module:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"11.0.0\",\"versionEndIncluding\":\"11.4.1\",\"matchCriteriaId\":\"9828CBA5-BB72-46E2-987D-633A5B3E2AFF\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_wan_optimization_manager:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"10.0.0\",\"versionEndIncluding\":\"10.2.4\",\"matchCriteriaId\":\"BB60C39D-52ED-47DD-9FB9-2B4BC8D9F8AC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_wan_optimization_manager:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"11.0.0\",\"versionEndIncluding\":\"11.3.0\",\"matchCriteriaId\":\"68BC025A-D45E-45FB-A4E4-1C89320B5BBE\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"9.4.0\",\"versionEndIncluding\":\"9.4.8\",\"matchCriteriaId\":\"3F383EBC-4739-4514-9EC0-BE17AC453735\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"10.0.0\",\"versionEndIncluding\":\"10.2.4\",\"matchCriteriaId\":\"AE007A64-5867-4B1A-AEFB-3AB2CD6A5EA4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"11.0.0\",\"versionEndIncluding\":\"11.3.0\",\"matchCriteriaId\":\"7C75978B-566B-4353-8716-099CB8790EE0\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:firepass:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.0.0\",\"versionEndIncluding\":\"6.1.0\",\"matchCriteriaId\":\"15CE213B-F42C-4C2E-AFBD-852AB049FF8A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:firepass:7.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"442D343A-973B-4C33-B99B-1EA2B7670DE5\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:arx:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.0.0\",\"versionEndIncluding\":\"5.3.1\",\"matchCriteriaId\":\"794651B6-E22C-4A6F-9B1F-AA94BEDD44FF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:arx:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.0.0\",\"versionEndIncluding\":\"6.4.0\",\"matchCriteriaId\":\"F20E6644-F925-4283-AD92-7B0696F52310\"}]}]}],\"references\":[{\"url\":\"http://breachattack.com/\",\"source\":\"cret@cert.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://github.com/meldium/breach-mitigation-rails\",\"source\":\"cret@cert.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://security.stackexchange.com/questions/20406/is-http-compression-safe#20407\",\"source\":\"cret@cert.org\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"http://slashdot.org/story/13/08/05/233216\",\"source\":\"cret@cert.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.iacr.org/cryptodb/archive/2002/FSE/3091/3091.pdf\",\"source\":\"cret@cert.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.kb.cert.org/vuls/id/987798\",\"source\":\"cret@cert.org\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=995168\",\"source\":\"cret@cert.org\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://hackerone.com/reports/254895\",\"source\":\"cret@cert.org\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://lists.apache.org/thread.html/r7f0e9cfd166934172d43ca4c272b8bdda4a343036229d9937affd1e1%40%3Cdev.httpd.apache.org%3E\",\"source\":\"cret@cert.org\"},{\"url\":\"https://support.f5.com/csp/article/K14634\",\"source\":\"cret@cert.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.blackhat.com/us-13/briefings.html#Prado\",\"source\":\"cret@cert.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/\",\"source\":\"cret@cert.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://breachattack.com/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://github.com/meldium/breach-mitigation-rails\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://security.stackexchange.com/questions/20406/is-http-compression-safe#20407\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"http://slashdot.org/story/13/08/05/233216\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.iacr.org/cryptodb/archive/2002/FSE/3091/3091.pdf\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.kb.cert.org/vuls/id/987798\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=995168\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://hackerone.com/reports/254895\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://lists.apache.org/thread.html/r7f0e9cfd166934172d43ca4c272b8bdda4a343036229d9937affd1e1%40%3Cdev.httpd.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://support.f5.com/csp/article/K14634\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.blackhat.com/us-13/briefings.html#Prado\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.