Medium severity5.9NVD Advisory· Published Jan 9, 2016· Updated May 6, 2026

CVE-2015-7575

Description

Mozilla Network Security Services (NSS) before 3.20.2, as used in Mozilla Firefox before 43.0.2 and Firefox ESR 38.x before 38.5.2, does not reject MD5 signatures in Server Key Exchange messages in TLS 1.2 Handshake Protocol traffic, which makes it easier for man-in-the-middle attackers to spoof servers by triggering a collision.

Affected products

Mozilla Corporation/Firefox12 versions
cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*+ 11 more
- cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*range: <=43.0.1
- cpe:2.3:a:mozilla:firefox:38.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:38.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:38.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:38.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:38.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:38.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:38.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:38.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:38.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:38.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:38.5.1:*:*:*:*:*:*:*
Mozilla Corporation/Network Security Services
cpe:2.3:a:mozilla:network_security_services:*:*:*:*:*:*:*:*
Range: <=3.20.1
Canonical (company)/Ubuntu Linux3 versions
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*+ 2 more
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:15.04:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*
OpenSUSE/Leap
cpe:2.3:o:opensuse:leap:42.1:*:*:*:*:*:*:*
OpenSUSE/openSUSE2 versions
cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

cvss	0.384
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000