CVE-2015-7575

CWE-1918 documents8 sources
Severity
5.9MEDIUM
EPSS
1.5%
top 18.81%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
Mozilla FirefoxMozilla Network Security ServicesCanonical Ubuntu Linux+2 more
Timeline
PublishedJan 9
Latest updateMay 14

Description

Mozilla Network Security Services (NSS) before 3.20.2, as used in Mozilla Firefox before 43.0.2 and Firefox ESR 38.x before 38.5.2, does not reject MD5 signatures in Server Key Exchange messages in TLS 1.2 Handshake Protocol traffic, which makes it easier for man-in-the-middle attackers to spoof servers by triggering a collision.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages8 packages

NVDmozilla/firefox43.0.1+11
Debiannss< 2:3.21-1+3
Debianopenssl< 1.0.1f-1+3
Debiangnutls28< 3.3.15-1+3

Also affects: Ubuntu Linux 14.04, 15.04, 15.10

🔴Vulnerability Details

5
GHSA
GHSA-7x7m-5xcm-74v2: Mozilla Network Security Services (NSS) before 32022-05-14
OSV
thunderbird vulnerabilities2016-03-08
OSV
openjdk-7 vulnerabilities2016-02-01
OSV
CVE-2015-7575: Mozilla Network Security Services (NSS) before 32016-01-09
CVEList
CVE-2015-7575: Mozilla Network Security Services (NSS) before 32016-01-09

📋Vendor Advisories

8
Ubuntu
Thunderbird vulnerabilities2016-03-08
Ubuntu
OpenJDK 7 vulnerabilities2016-02-01
Ubuntu
GnuTLS vulnerability2016-01-08
Ubuntu
Firefox vulnerability2016-01-08
Ubuntu
OpenSSL vulnerability2016-01-07

💬Community

4
Bugzilla
CVE-2015-7575 nss: TLS 1.2 Transcipt Collision attacks against MD5 in key exchange protocol [fedora-all]2016-01-06
Bugzilla
CVE-2015-7575 openssl: TLS 1.2 Transcipt Collision attacks against MD5 in key exchange protocol [fedora-all]2016-01-06
Bugzilla
CVE-2015-7575 gnutls: TLS 1.2 Transcipt Collision attacks against MD5 in key exchange protocol [fedora-all]2016-01-06
Bugzilla
CVE-2015-7575 TLS 1.2 Transcipt Collision attacks against MD5 in key exchange protocol (SLOTH)2015-12-09