CVE-2013-2566
5.9 MEDIUMThe RC4 algorithm, as used in the TLS protocol and SSL protocol, has many single-byte biases, which makes it easier for remote attackers ...
Published: 2013-03-15 · Last updated: 2026-04-29
Severity and scoring
- CVSS
- 5.9 MEDIUM
- Vector
- CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
- CWE
- CWE-326
Affected products
| Vendor | Product |
|---|---|
| canonical | communications_application_session_controller, firefox, http_server |
| fujitsu | communications_application_session_controller, firefox, http_server |
| mozilla | communications_application_session_controller, firefox, http_server |
| oracle | communications_application_session_controller, firefox, http_server |
Description
The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many single-byte biases, which makes it easier for remote attackers to conduct plaintext-recovery attacks via statistical analysis of ciphertext in a large number of sessions that use the same plaintext.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2013-2566
- [Other]http://blog.cryptographyengineering.com/2013/03/attack-of-week-rc4-is-kind-of-broken-in.html
- [Other]http://cr.yp.to/talks/2013.03.12/slides.pdf
- [Other]http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
- [Other]http://marc.info/?l=bugtraq&m=143039468003789&w=2
- [Other]http://my.opera.com/securitygroup/blog/2013/03/20/on-the-precariousness-of-rc4
- [Other]http://security.gentoo.org/glsa/glsa-201406-19.xml
- [Other]http://www.isg.rhul.ac.uk/tls/
- [Other]http://www.mozilla.org/security/announce/2013/mfsa2013-103.html
- [Other]http://www.opera.com/docs/changelogs/unified/1215/
- [Other]http://www.opera.com/security/advisory/1046
- [Other]http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html
- [Other]http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
- [Other]http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
- [Other]http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
- [Other]http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
- [Other]http://www.securityfocus.com/bid/58796
- [Other]http://www.ubuntu.com/usn/USN-2031-1
- [Other]http://www.ubuntu.com/usn/USN-2032-1
- [Other]https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05289935
- [Other]https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05336888
- [Other]https://security.gentoo.org/glsa/201504-01
- [Other]http://blog.cryptographyengineering.com/2013/03/attack-of-week-rc4-is-kind-of-broken-in.html
- [Other]http://cr.yp.to/talks/2013.03.12/slides.pdf
- [Other]http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
- [Other]http://marc.info/?l=bugtraq&m=143039468003789&w=2
- [Other]http://my.opera.com/securitygroup/blog/2013/03/20/on-the-precariousness-of-rc4
- [Other]http://security.gentoo.org/glsa/glsa-201406-19.xml
- [Other]http://www.isg.rhul.ac.uk/tls/
- [Other]http://www.mozilla.org/security/announce/2013/mfsa2013-103.html
- [Other]http://www.opera.com/docs/changelogs/unified/1215/
- [Other]http://www.opera.com/security/advisory/1046
- [Other]http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html
- [Other]http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
- [Other]http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
- [Other]http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
- [Other]http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
- [Other]http://www.securityfocus.com/bid/58796
- [Other]http://www.ubuntu.com/usn/USN-2031-1
- [Other]http://www.ubuntu.com/usn/USN-2032-1
- [Other]https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05289935
- [Other]https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05336888
- [Other]https://security.gentoo.org/glsa/201504-01
Related CVEs
Same vendor
- CVE-2026-12330 — Incorrect boundary conditions in the Internationalization component (5.4 MEDIUM)
- CVE-2026-12329 — Memory safety bug fixed in Thunderbird ESR 140.12 (5.3 MEDIUM)
- CVE-2026-12328 — Memory safety bugs present in Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird ESR 140.11, Firefox 151 and Thunderbird 151 (8.1 HIGH)
- CVE-2026-12323 — Spoofing issue in the DOM: Core & HTML component (5.4 MEDIUM)
- CVE-2026-12322 — Clickjacking issue in the Widget: Gtk component (5.4 MEDIUM)
Same CWE
- CVE-2026-41860 — CWE-326 in BOSH allows a local attacker to steal Basic-auth credentials or redirect UAA token requests via MITM (8.8 HIGH)
- CVE-2026-8878 — Version 3.0.7 of the Securly Chrome Extension exposes multiple publicly accessible endpoints that allow unauthenticated access to sensiti... (7.5 HIGH)
- CVE-2026-45787 — electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client (9.1 CRITICAL)
- CVE-2026-5363 — Inadequate Encryption Strength vulnerability in TP-Link Archer C7 v5 and v5.8 (uhttpd modules) allows Password Recovery Exploitation (8.8 HIGH)
- CVE-2024-28755 — An issue was discovered in Mbed TLS 3.5.x before 3.6.0 (6.5 MEDIUM)