DEBIAN-CVE-2015-4000

Advisory lineage Upstream: 1 Downstream: 9

Upstream

CVE-2015-4000

Downstream

DLA-247-1 DLA-303-1 DLA-507-1 DSA-3287-1 DSA-3300-1 DSA-3316-1

Published: 21 May 2015, 00:59

Last modified:28 Apr 2026, 20:14

Vulnerability Summary

Overall Risk (default)

low

15/100

CVSS Score

3.7 LOW

3.0 (osv_debian)

EPSS Score

No data

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

21 May 2015, 00:59

Published

Vulnerability first disclosed

28 Apr 2026, 20:14

Last Modified

Vulnerability information updated

Description

The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the "Logjam" issue.

CVSS Metrics

v3.0•LOW•Score: 3.7CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Affected Systems

debian•nss
< 2:3.19.1-1 | < 2:3.19.1-1 | < 2:3.19.1-1 | < 2:3.19.1-1
debian•openssl
< 1.0.2b-1 | < 1.0.2b-1 | < 1.0.2b-1 | < 1.0.2b-1

References (1)

https://security-tracker.debian.org/tracker/CVE-2015-4000