The HTTPS protocol, as used in unspecified web applications, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which makes it easier for man-in-the-middle attackers to obtain plaintext secret values by observing length differences during a series of guesses in which a string in an HTTP request URL potentially matches an unknown string in an HTTP response body, aka a "BREACH" attack, a different issue than CVE-2012-4929.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.25301.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions
n/a HTTPS protocol affected
Version Status Constraints
all affected

Configuration 1 [-]

OR cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_access_policy_manager:13.0.0:*:*:*:*:*:*:*

Configuration 2 [-]

OR cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_advanced_firewall_manager:13.0.0:*:*:*:*:*:*:*

Configuration 3 [-]

OR cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_analytics:13.0.0:*:*:*:*:*:*:*

Configuration 4 [-]

OR cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_application_acceleration_manager:13.0.0:*:*:*:*:*:*:*

Configuration 5 [-]

OR cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_application_security_manager:13.0.0:*:*:*:*:*:*:*

Configuration 6 [-]

OR cpe:2.3:a:f5:big-ip_edge_gateway:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_edge_gateway:*:*:*:*:*:*:*:*

Configuration 7 [-]

OR cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_link_controller:13.0.0:*:*:*:*:*:*:*

Configuration 8 [-]

OR cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_local_traffic_manager:13.0.0:*:*:*:*:*:*:*

Configuration 9 [-]

OR cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_policy_enforcement_manager:13.0.0:*:*:*:*:*:*:*

Configuration 10 [-]

OR cpe:2.3:a:f5:big-ip_protocol_security_module:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_protocol_security_module:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_protocol_security_module:*:*:*:*:*:*:*:*

Configuration 11 [-]

OR cpe:2.3:a:f5:big-ip_wan_optimization_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_wan_optimization_manager:*:*:*:*:*:*:*:*

Configuration 12 [-]

OR cpe:2.3:a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:*

Configuration 13 [-]

OR cpe:2.3:a:f5:firepass:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:firepass:7.0.0:*:*:*:*:*:*:*

Configuration 14 [-]

OR cpe:2.3:a:f5:arx:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:arx:*:*:*:*:*:*:*:*

No data.

No data.

Project Subscriptions

Vendors Products
F5 Subscribe
Arx Subscribe
Big-ip Access Policy Manager Subscribe
Big-ip Advanced Firewall Manager Subscribe
Big-ip Analytics Subscribe
Big-ip Application Acceleration Manager Subscribe
Big-ip Application Security Manager Subscribe
Big-ip Edge Gateway Subscribe
Big-ip Link Controller Subscribe
Big-ip Local Traffic Manager Subscribe
Big-ip Policy Enforcement Manager Subscribe
Big-ip Protocol Security Module Subscribe
Big-ip Wan Optimization Manager Subscribe
Big-ip Webaccelerator Subscribe
Firepass Subscribe
Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References
Link Providers
http://breachattack.com/ cve-icon cve-icon
http://github.com/meldium/breach-mitigation-rails cve-icon cve-icon
http://security.stackexchange.com/questions/20406/is-http-compression-safe#20407 cve-icon cve-icon
http://slashdot.org/story/13/08/05/233216 cve-icon cve-icon
http://www.iacr.org/cryptodb/archive/2002/FSE/3091/3091.pdf cve-icon cve-icon
http://www.kb.cert.org/vuls/id/987798 cve-icon cve-icon
https://bugzilla.redhat.com/show_bug.cgi?id=995168 cve-icon cve-icon
https://hackerone.com/reports/254895 cve-icon cve-icon
https://lists.apache.org/thread.html/r7f0e9cfd166934172d43ca4c272b8bdda4a343036229d9937affd1e1%40%3Cdev.httpd.apache.org%3E cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2013-3587 cve-icon
https://support.f5.com/csp/article/K14634 cve-icon cve-icon
https://www.blackhat.com/us-13/briefings.html#Prado cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2013-3587 cve-icon
https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/ cve-icon cve-icon
History

Sun, 13 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.14648}

 epss

{'score': 0.14659}

Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: certcc

Published:

Updated: 2024-08-06T16:14:56.365Z

Reserved: 2013-05-21T00:00:00

Link: CVE-2013-3587

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2020-02-21T18:15:11.427

Modified: 2024-11-21T01:53:56.283

Link: CVE-2013-3587

cve-icon Redhat

Severity : Moderate

Publid Date: 2013-08-02T00:00:00Z

Links: CVE-2013-3587 - Bugzilla

cve-icon OpenCVE Enrichment

No data.

Weaknesses