CVE-2015-7575
Summary
| CVE | CVE-2015-7575 |
|---|---|
| State | PUBLISHED |
| Assigner | redhat |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2016-01-09 02:59:10 UTC |
| Updated | 2026-05-06 22:30:45 UTC |
| Description | Mozilla Network Security Services (NSS) before 3.20.2, as used in Mozilla Firefox before 43.0.2 and Firefox ESR 38.x before 38.5.2, does not reject MD5 signatures in Server Key Exchange messages in TLS 1.2 Handshake Protocol traffic, which makes it easier for man-in-the-middle attackers to spoof servers by triggering a collision. |
Risk And Classification
Primary CVSS: v3.0 5.9 MEDIUM from [email protected]
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Problem Types: CWE-19 | n/a
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.0 | [email protected] | Primary | 5.9 | MEDIUM | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
| 2.0 | [email protected] | Primary | 4.3 | AV:N/AC:M/Au:N/C:N/I:P/A:N |
CVSS v3.0 Breakdown
Attack Vector
NetworkAttack Complexity
HighPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
HighIntegrity
NoneAvailability
NoneCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS v2.0 Breakdown
Access Vector
NetworkAccess Complexity
MediumAuthentication
NoneConfidentiality
NoneIntegrity
PartialAvailability
NoneAV:N/AC:M/Au:N/C:N/I:P/A:N
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Canonical | Ubuntu Linux | 14.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 15.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 15.10 | All | All | All |
| Application | Mozilla | Firefox | 38.0 | All | All | All |
| Application | Mozilla | Firefox | 38.0.1 | All | All | All |
| Application | Mozilla | Firefox | 38.0.5 | All | All | All |
| Application | Mozilla | Firefox | 38.1.0 | All | All | All |
| Application | Mozilla | Firefox | 38.1.1 | All | All | All |
| Application | Mozilla | Firefox | 38.2.0 | All | All | All |
| Application | Mozilla | Firefox | 38.2.1 | All | All | All |
| Application | Mozilla | Firefox | 38.3.0 | All | All | All |
| Application | Mozilla | Firefox | 38.4.0 | All | All | All |
| Application | Mozilla | Firefox | 38.5.0 | All | All | All |
| Application | Mozilla | Firefox | 38.5.1 | All | All | All |
| Application | Mozilla | Firefox | All | All | All | All |
| Application | Mozilla | Network Security Services | All | All | All | All |
| Operating System | Opensuse | Leap | 42.1 | All | All | All |
| Operating System | Opensuse | Opensuse | 13.1 | All | All | All |
| Operating System | Opensuse | Opensuse | 13.2 | All | All | All |
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Red Hat Customer Portal | af854a3a-2127-422b-91ae-364da2661108 | access.redhat.com | |
| Debian -- Security Information -- DSA-3457-1 iceweasel | af854a3a-2127-422b-91ae-364da2661108 | www.debian.org | |
| USN-2863-1: OpenSSL vulnerability | Ubuntu | af854a3a-2127-422b-91ae-364da2661108 | www.ubuntu.com | |
| USN-2904-1: Thunderbird vulnerabilities | Ubuntu | af854a3a-2127-422b-91ae-364da2661108 | www.ubuntu.com | |
| [security-announce] openSUSE-SU-2016:0263-1: critical: Security update f | af854a3a-2127-422b-91ae-364da2661108 | lists.opensuse.org | |
| Mozilla Firefox MD5 Signature Support in TLS ServerKeyExchange Messages Exposes Users to Hash Collision Forgery Attacks - SecurityTracker | af854a3a-2127-422b-91ae-364da2661108 | www.securitytracker.com | |
| openSUSE-SU-2016:0308-1: moderate: Security update for Seamonkey | af854a3a-2127-422b-91ae-364da2661108 | lists.opensuse.org | Third Party Advisory |
| openSUSE-SU-2016:0162-1: moderate: Security update for mbedtls | af854a3a-2127-422b-91ae-364da2661108 | lists.opensuse.org | |
| Debian -- Security Information -- DSA-3465-1 openjdk-6 | af854a3a-2127-422b-91ae-364da2661108 | www.debian.org | |
| USN-2864-1: NSS vulnerability | Ubuntu | af854a3a-2127-422b-91ae-364da2661108 | www.ubuntu.com | |
| USN-2884-1: OpenJDK 7 vulnerabilities | Ubuntu | af854a3a-2127-422b-91ae-364da2661108 | www.ubuntu.com | Third Party Advisory |
| Debian -- Security Information -- DSA-3436-1 openssl | af854a3a-2127-422b-91ae-364da2661108 | www.debian.org | |
| Red Hat Customer Portal | af854a3a-2127-422b-91ae-364da2661108 | rhn.redhat.com | |
| openSUSE-SU-2016:0161-1: moderate: Security update for polarssl | af854a3a-2127-422b-91ae-364da2661108 | lists.opensuse.org | |
| [security-announce] openSUSE-SU-2016:0268-1: critical: Security update f | af854a3a-2127-422b-91ae-364da2661108 | lists.opensuse.org | |
| IBM AIX Default TLS Version Lets Remote Users Conduct Man-in-the-Middle Attacks Obtain Potentially Sensitive Information on the Target System - SecurityTracker | af854a3a-2127-422b-91ae-364da2661108 | www.securitytracker.com | |
| Access Denied | af854a3a-2127-422b-91ae-364da2661108 | bugzilla.mozilla.org | Issue Tracking |
| openSUSE-SU-2016:0488-1: moderate: Security update for Thunderbird | af854a3a-2127-422b-91ae-364da2661108 | lists.opensuse.org | |
| Debian -- Security Information -- DSA-3688-1 nss | af854a3a-2127-422b-91ae-364da2661108 | www.debian.org | |
| [security-announce] openSUSE-SU-2016:0279-1: critical: Security update f | af854a3a-2127-422b-91ae-364da2661108 | lists.opensuse.org | |
| openSUSE-SU-2016:0007-1: moderate: Security update for MozillaFirefox | af854a3a-2127-422b-91ae-364da2661108 | lists.opensuse.org | |
| [security-announce] openSUSE-SU-2016:0270-1: critical: Security update f | af854a3a-2127-422b-91ae-364da2661108 | lists.opensuse.org | |
| Red Hat Customer Portal | af854a3a-2127-422b-91ae-364da2661108 | rhn.redhat.com | |
| Red Hat Customer Portal | af854a3a-2127-422b-91ae-364da2661108 | rhn.redhat.com | |
| [security-announce] SUSE-SU-2016:0256-1: critical: Security update for j | af854a3a-2127-422b-91ae-364da2661108 | lists.opensuse.org | |
| Mozilla Network Security Services CVE-2015-7575 Security Bypass Vulnerability | af854a3a-2127-422b-91ae-364da2661108 | www.securityfocus.com | |
| Debian -- Security Information -- DSA-3437-1 gnutls26 | af854a3a-2127-422b-91ae-364da2661108 | www.debian.org | |
| Debian -- Security Information -- DSA-3491-1 icedove | af854a3a-2127-422b-91ae-364da2661108 | www.debian.org | |
| [security-announce] openSUSE-SU-2016:0272-1: important: Security update | af854a3a-2127-422b-91ae-364da2661108 | lists.opensuse.org | |
| openSUSE-SU-2016:0307-1: moderate: Security update for seamonkey | af854a3a-2127-422b-91ae-364da2661108 | lists.opensuse.org | Third Party Advisory |
| PolarSSL: Multiple vulnerabilities (GLSA 201801-15) — Gentoo security | af854a3a-2127-422b-91ae-364da2661108 | security.gentoo.org | |
| USN-2866-1: Firefox vulnerability | Ubuntu | af854a3a-2127-422b-91ae-364da2661108 | www.ubuntu.com | |
| Oracle Critical Patch Update - July 2016 | af854a3a-2127-422b-91ae-364da2661108 | www.oracle.com | Third Party Advisory |
| MD5 signatures accepted within TLS 1.2 ServerKeyExchange in server signature — Mozilla | af854a3a-2127-422b-91ae-364da2661108 | www.mozilla.org | Vendor Advisory |
| mbed TLS: Multiple vulnerabilities (GLSA 201706-18) — Gentoo Security | af854a3a-2127-422b-91ae-364da2661108 | security.gentoo.org | |
| openSUSE-SU-2016:0605-1: moderate: Security update for bouncycastle | af854a3a-2127-422b-91ae-364da2661108 | lists.opensuse.org | |
| Oracle Critical Patch Update - October 2017 | af854a3a-2127-422b-91ae-364da2661108 | www.oracle.com | |
| Oracle Critical Patch Update - January 2016 | af854a3a-2127-422b-91ae-364da2661108 | www.oracle.com | Vendor Advisory |
| Oracle Critical Patch Update Advisory - April 2016 | af854a3a-2127-422b-91ae-364da2661108 | www.oracle.com | Third Party Advisory |
| NSS 3.20.2 release notes - Mozilla | MDN | af854a3a-2127-422b-91ae-364da2661108 | developer.mozilla.org | Vendor Advisory |
| [security-announce] SUSE-SU-2016:0269-1: critical: Security update for j | af854a3a-2127-422b-91ae-364da2661108 | lists.opensuse.org | |
| Oracle Linux Bulletin - January 2016 | af854a3a-2127-422b-91ae-364da2661108 | www.oracle.com | |
| Debian -- Security Information -- DSA-3458-1 openjdk-7 | af854a3a-2127-422b-91ae-364da2661108 | www.debian.org | |
| CVE-2015-7575 TLS Vulnerability in Multiple NetApp Products | NetApp Product Security | af854a3a-2127-422b-91ae-364da2661108 | security.netapp.com | |
| Red Hat Customer Portal | af854a3a-2127-422b-91ae-364da2661108 | rhn.redhat.com | |
| [security-announce] SUSE-SU-2016:0265-1: critical: Security update for j | af854a3a-2127-422b-91ae-364da2661108 | lists.opensuse.org | |
| USN-2865-1: GnuTLS vulnerability | Ubuntu | af854a3a-2127-422b-91ae-364da2661108 | www.ubuntu.com | |
| Mozilla Network Security Service (NSS): Multiple vulnerabilities (GLSA 201701-46) — Gentoo security | af854a3a-2127-422b-91ae-364da2661108 | security.gentoo.org | |
| openSUSE-SU-2015:2405-1: moderate: Security update for mozilla-nss | af854a3a-2127-422b-91ae-364da2661108 | lists.opensuse.org | |
| Oracle July 2016 Critical Patch Update Multiple Vulnerabilities | af854a3a-2127-422b-91ae-364da2661108 | www.securityfocus.com | Third Party Advisory, VDB Entry |
| Red Hat Customer Portal | af854a3a-2127-422b-91ae-364da2661108 | rhn.redhat.com | |
| Red Hat Customer Portal | af854a3a-2127-422b-91ae-364da2661108 | rhn.redhat.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 390226 Oracle Managed Virtualization (VM) Server for x86 Security Update for Open Secure Sockets Layer (OpenSSL) (OVMSA-2021-0011)
- 390284 Oracle Managed Virtualization (VM) Server for x86 Security Update for Open Secure Sockets Layer (OpenSSL) (OVMSA-2023-0013)
- 710439 Gentoo Linux mbed Transport Layer Security (TLS) Multiple Vulnerabilities (GLSA 201706-18)
- 710518 Gentoo Linux Mozilla Network Security Service (NSS) Multiple Vulnerabilities (GLSA 201701-46)