CVE-2015-7575

MEDIUM

Mozilla NSS <3.20.2 - Info Disclosure

Title source: llm

Description

Mozilla Network Security Services (NSS) before 3.20.2, as used in Mozilla Firefox before 43.0.2 and Firefox ESR 38.x before 38.5.2, does not reject MD5 signatures in Server Key Exchange messages in TLS 1.2 Handshake Protocol traffic, which makes it easier for man-in-the-middle attackers to spoof servers by triggering a collision.

References (52)

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2016-0049.html

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2016-0050.html

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2016-0053.html

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2016-0054.html

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2016-0055.html

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2016-0056.html

[Mailing List] http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00038.html

[Mailing List] http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00041.html

[Mailing List] http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00042.html

[Mailing List] http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00043.html

[Mailing List] http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00044.html

[Mailing List] http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00045.html

[Mailing List] http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00047.html

[Mailing List] http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00048.html

[Mailing List] http://lists.opensuse.org/opensuse-updates/2015-12/msg00139.html

[Mailing List] http://lists.opensuse.org/opensuse-updates/2016-01/msg00005.html

[Mailing List] http://lists.opensuse.org/opensuse-updates/2016-01/msg00058.html

[Mailing List] http://lists.opensuse.org/opensuse-updates/2016-01/msg00059.html

[Third Party Advisory] http://lists.opensuse.org/opensuse-updates/2016-02/msg00007.html

[Third Party Advisory] http://lists.opensuse.org/opensuse-updates/2016-02/msg00008.html

... and 32 more

Scores

CVSS v3 5.9

EPSS 0.0169

EPSS Percentile 82.0%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Classification

CWE

CWE-19

Status draft

Affected Products (19)

mozilla/network_security_services < 3.20.1

opensuse/leap

opensuse/opensuse

opensuse/opensuse

mozilla/firefox

mozilla/firefox

mozilla/firefox

mozilla/firefox

mozilla/firefox

mozilla/firefox

mozilla/firefox

mozilla/firefox

mozilla/firefox

mozilla/firefox

mozilla/firefox

... and 4 more

Timeline

Published Jan 09, 2016

Tracked Since Feb 18, 2026