5.9

CVE-2013-3587

Exploit

The HTTPS protocol, as used in unspecified web applications, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which makes it easier for man-in-the-middle attackers to obtain plaintext secret values by observing length differences during a series of guesses in which a string in an HTTP request URL potentially matches an unknown string in an HTTP response body, aka a "BREACH" attack, a different issue than CVE-2012-4929.

Data is provided by the National Vulnerability Database (NVD)
F5Big-ip Access Policy Manager Version >= 10.1.0 <= 10.2.4
F5Big-ip Access Policy Manager Version >= 11.0.0 <= 11.6.1
F5Big-ip Access Policy Manager Version >= 12.0.0 <= 12.1.2
F5Big-ip Access Policy Manager Version13.0.0
F5Big-ip Advanced Firewall Manager Version >= 11.3.0 <= 11.6.1
F5Big-ip Advanced Firewall Manager Version >= 12.0.0 <= 12.1.2
F5Big-ip Analytics Version >= 11.0.0 <= 11.6.1
F5Big-ip Analytics Version >= 12.0.0 <= 12.1.2
F5Big-ip Analytics Version13.0.0
F5Big-ip Application Acceleration Manager Version >= 11.4.0 <= 11.6.1
F5Big-ip Application Acceleration Manager Version >= 12.0.0 <= 12.1.2
F5Big-ip Application Security Manager Version >= 9.2.0 <= 9.4.8
F5Big-ip Application Security Manager Version >= 10.0.0 <= 10.2.4
F5Big-ip Application Security Manager Version >= 11.0.0 <= 11.6.1
F5Big-ip Application Security Manager Version >= 12.0.0 <= 12.1.2
F5Big-ip Edge Gateway Version >= 10.1.0 <= 10.2.4
F5Big-ip Edge Gateway Version >= 11.0.0 <= 11.3.0
F5Big-ip Link Controller Version >= 9.2.2 <= 9.4.8
F5Big-ip Link Controller Version >= 10.0.0 <= 10.2.4
F5Big-ip Link Controller Version >= 11.0.0 <= 11.6.1
F5Big-ip Link Controller Version >= 12.0.0 <= 12.1.2
F5Big-ip Link Controller Version13.0.0
F5Big-ip Local Traffic Manager Version >= 9.0.0 <= 9.6.1
F5Big-ip Local Traffic Manager Version >= 10.0.0 <= 10.2.4
F5Big-ip Local Traffic Manager Version >= 11.0.0 <= 11.6.1
F5Big-ip Local Traffic Manager Version >= 12.0.0 <= 12.1.2
F5Big-ip Local Traffic Manager Version13.0.0
F5Big-ip Policy Enforcement Manager Version >= 11.3.0 <= 11.6.1
F5Big-ip Policy Enforcement Manager Version >= 12.0.0 <= 12.1.2
F5Big-ip Protocol Security Module Version >= 9.4.5 <= 9.4.8
F5Big-ip Protocol Security Module Version >= 10.0.0 <= 10.2.4
F5Big-ip Protocol Security Module Version >= 11.0.0 <= 11.4.1
F5Big-ip Wan Optimization Manager Version >= 10.0.0 <= 10.2.4
F5Big-ip Wan Optimization Manager Version >= 11.0.0 <= 11.3.0
F5Big-ip Webaccelerator Version >= 9.4.0 <= 9.4.8
F5Big-ip Webaccelerator Version >= 10.0.0 <= 10.2.4
F5Big-ip Webaccelerator Version >= 11.0.0 <= 11.3.0
F5Firepass Version >= 6.0.0 <= 6.1.0
F5Firepass Version7.0.0
F5Arx Version >= 5.0.0 <= 5.3.1
F5Arx Version >= 6.0.0 <= 6.4.0
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 14.66% 0.942
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 5.9 2.2 3.6
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov 4.3 8.6 2.9
AV:N/AC:M/Au:N/C:P/I:N/A:N
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

http://breachattack.com/
Third Party Advisory
http://www.kb.cert.org/vuls/id/987798
Third Party Advisory
US Government Resource
https://bugzilla.redhat.com/show_bug.cgi?id=995168
Third Party Advisory
Issue Tracking
https://hackerone.com/reports/254895
Third Party Advisory
Exploit