CVE-2015-7575

Severity CVSS v4.0:

Pending analysis

Type:

CWE-19 Data Handling

Publication date:

09/01/2016

Last modified:

12/04/2025

Description

Mozilla Network Security Services (NSS) before 3.20.2, as used in Mozilla Firefox before 43.0.2 and Firefox ESR 38.x before 38.5.2, does not reject MD5 signatures in Server Key Exchange messages in TLS 1.2 Handshake Protocol traffic, which makes it easier for man-in-the-middle attackers to spoof servers by triggering a collision.

Impact

Vector 3.x

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS v3.1 Severity and Metrics:

Base Score: 5.90 MEDIUM
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): None
Availability (A): None

Base Score 3.x

5.90

Severity 3.x

MEDIUM

Vector 2.0

AV:N/AC:M/Au:N/C:N/I:P/A:N CVSS v2.0 Severity and Metrics:

Base Score: 4.30 MEDIUM
Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Attack Vector (AV): Network
Attack Complexity (AC): Medium
Authentication (Au): None
Confidentiality (C): None
Integrity (I): Physical
Availability (A): None

Base Score 2.0

4.30

Severity 2.0

MEDIUM

Vulnerable products and versions

CPE	From	Up to
cpe:2.3:a:mozilla:network_security_services::::::::		3.20.1 (including)
cpe:2.3:o:opensuse:leap:42.1:::::::*
cpe:2.3:o:opensuse:opensuse:13.1:::::::*
cpe:2.3:o:opensuse:opensuse:13.2:::::::*
cpe:2.3:a:mozilla:firefox:38.0:::::::*
cpe:2.3:a:mozilla:firefox:38.0.1:::::::*
cpe:2.3:a:mozilla:firefox:38.0.5:::::::*
cpe:2.3:a:mozilla:firefox:38.1.0:::::::*
cpe:2.3:a:mozilla:firefox:38.1.1:::::::*
cpe:2.3:a:mozilla:firefox:38.2.0:::::::*
cpe:2.3:a:mozilla:firefox:38.2.1:::::::*
cpe:2.3:a:mozilla:firefox:38.3.0:::::::*
cpe:2.3:a:mozilla:firefox:38.4.0:::::::*
cpe:2.3:a:mozilla:firefox:38.5.0:::::::*
cpe:2.3:a:mozilla:firefox:38.5.1:::::::*

To consult the complete list of CPE names with products and versions, see this page

CPE	From	Up to
cpe:2.3:a:mozilla:network_security_services::::::::		3.20.1 (including)
cpe:2.3:o:opensuse:leap:42.1:::::::*
cpe:2.3:o:opensuse:opensuse:13.1:::::::*
cpe:2.3:o:opensuse:opensuse:13.2:::::::*
cpe:2.3:a:mozilla:firefox:38.0:::::::*
cpe:2.3:a:mozilla:firefox:38.0.1:::::::*
cpe:2.3:a:mozilla:firefox:38.0.5:::::::*
cpe:2.3:a:mozilla:firefox:38.1.0:::::::*
cpe:2.3:a:mozilla:firefox:38.1.1:::::::*
cpe:2.3:a:mozilla:firefox:38.2.0:::::::*
cpe:2.3:a:mozilla:firefox:38.2.1:::::::*
cpe:2.3:a:mozilla:firefox:38.3.0:::::::*
cpe:2.3:a:mozilla:firefox:38.4.0:::::::*
cpe:2.3:a:mozilla:firefox:38.5.0:::::::*
cpe:2.3:a:mozilla:firefox:38.5.1:::::::*

CVE-2015-7575

Description

Impact

Vulnerable products and versions

References to Advisories, Solutions, and Tools