CVE-2015-7575

Mozilla Network Security Services (NSS) before 3.20.2, as used in Mozilla Firefox before 43.0.2 and Firefox ESR 38.x before 38.5.2, does not reject MD5 signatures in Server Key Exchange messages in TLS 1.2 Handshake Protocol traffic, which makes it easier for man-in-the-middle attackers to spoof servers by triggering a collision.

Published: Jan 9, 2016
Updated: Apr 13, 2023
CVE: CVE-2015-7575
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.9
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N

CWEs:

CWE-19

Affected Software
References

Software	From	Fixed in
mozilla / network_security_services	-	3.20.1.x
opensuse / leap	42.1	42.1.x
opensuse / opensuse	13.1	13.1.x
opensuse / opensuse	13.2	13.2.x
mozilla / firefox_esr	38.0	38.0.x
mozilla / firefox_esr	38.2.1	38.2.1.x
mozilla / firefox_esr	38.1.0	38.1.0.x
mozilla / firefox_esr	38.2.0	38.2.0.x
mozilla / firefox_esr	38.4.0	38.4.0.x
mozilla / firefox_esr	38.3.0	38.3.0.x
mozilla / firefox_esr	38.5.1	38.5.1.x
mozilla / firefox_esr	38.0.5	38.0.5.x
mozilla / firefox_esr	38.0.1	38.0.1.x
mozilla / firefox_esr	38.5.0	38.5.0.x
mozilla / firefox_esr	38.1.1	38.1.1.x
canonical / ubuntu_linux	15.10	15.10.x
canonical / ubuntu_linux	14.04	14.04.x
canonical / ubuntu_linux	15.04	15.04.x
mozilla / firefox	-	43.0.1.x

Vulnerability Database

289,599

CVE-2015-7575