CVE-2015-7575
Advisory lineage Upstream: 0 Downstream: 53
Modified
Published: 09 Jan 2016, 02:00
Last modified:06 Aug 2024, 07:51
Vulnerability Summary
Overall Risk (default)
low
24/100 CVSS Score
5.9 MEDIUM
v3.0 (nvd)
EPSS Score
1.07% LOW
1% probability -0.66%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
09 Jan 2016, 02:00
Published
Vulnerability first disclosed
06 Aug 2024, 07:51
Last Modified
Vulnerability information updated
Description
Mozilla Network Security Services (NSS) before 3.20.2, as used in Mozilla Firefox before 43.0.2 and Firefox ESR 38.x before 38.5.2, does not reject MD5 signatures in Server Key Exchange messages in TLS 1.2 Handshake Protocol traffic, which makes it easier for man-in-the-middle attackers to spoof servers by triggering a collision.
CVSS Metrics
- v3.0•MEDIUM•Score: 5.9CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
- v2.0•MEDIUM•Score: 4.3AV:N/AC:M/Au:N/C:N/I:P/A:N
EPSS Trends
Current EPSS score: 1.07%• Percentile: 78%
Techniques & Countermeasures
- CWE-19•Data Processing Errors
Weaknesses in this category are typically found in functionality that processes data. Data processing is the manipulation of input to retrieve or save information.
Affected Systems
- canonical•ubuntu_linux
14.04 | 15.04 | 15.10
- mozilla•firefox
38.0 | 38.0.1 | 38.0.5 | 38.1.0 | 38.1.1 | 38.2.0 | 38.2.1 | 38.3.0 | 38.4.0 | 38.5.0 | 38.5.1 | ≤ 43.0.1
- mozilla•network_security_services
≤ 3.20.1
- opensuse•leap
42.1
- opensuse•opensuse
13.1 | 13.2
References (52)
- http://www.debian.org/security/2016/dsa-3688
- http://www.debian.org/security/2016/dsa-3457
- http://www.debian.org/security/2016/dsa-3491
- http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00047.html
- http://www.securitytracker.com/id/1036467
- https://security.gentoo.org/glsa/201701-46
- http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00048.html
- http://lists.opensuse.org/opensuse-updates/2016-01/msg00058.html
- http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
- http://www.ubuntu.com/usn/USN-2884-1
- http://www.securityfocus.com/bid/79684
- http://www.debian.org/security/2016/dsa-3465
- https://developer.mozilla.org/docs/Mozilla/Projects/NSS/NSS_3.20.2_release_notes
- http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html
- http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
- https://access.redhat.com/errata/RHSA-2016:1430
- https://bugzilla.mozilla.org/show_bug.cgi?id=1158489
- http://rhn.redhat.com/errata/RHSA-2016-0049.html
- http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
- http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00045.html
- http://lists.opensuse.org/opensuse-updates/2016-02/msg00008.html
- http://www.debian.org/security/2016/dsa-3437
- http://rhn.redhat.com/errata/RHSA-2016-0053.html
- http://www.ubuntu.com/usn/USN-2904-1
- http://lists.opensuse.org/opensuse-updates/2015-12/msg00139.html
- https://security.netapp.com/advisory/ntap-20160225-0001/
- http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00044.html
- http://www.debian.org/security/2016/dsa-3436
- http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00041.html
- http://www.ubuntu.com/usn/USN-2866-1
- http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00038.html
- http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html
- http://www.securityfocus.com/bid/91787
- http://www.mozilla.org/security/announce/2015/mfsa2015-150.html
- http://rhn.redhat.com/errata/RHSA-2016-0055.html
- https://security.gentoo.org/glsa/201801-15
- http://rhn.redhat.com/errata/RHSA-2016-0054.html
- http://lists.opensuse.org/opensuse-updates/2016-02/msg00101.html
- https://security.gentoo.org/glsa/201706-18
- http://www.ubuntu.com/usn/USN-2864-1
- http://lists.opensuse.org/opensuse-updates/2016-01/msg00059.html
- http://lists.opensuse.org/opensuse-updates/2016-02/msg00166.html
- http://rhn.redhat.com/errata/RHSA-2016-0056.html
- http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00043.html
- http://lists.opensuse.org/opensuse-updates/2016-02/msg00007.html
- http://rhn.redhat.com/errata/RHSA-2016-0050.html
- http://www.debian.org/security/2016/dsa-3458
- http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00042.html
- http://www.ubuntu.com/usn/USN-2865-1
- http://www.securitytracker.com/id/1034541
- http://lists.opensuse.org/opensuse-updates/2016-01/msg00005.html
- http://www.ubuntu.com/usn/USN-2863-1