Security Flaw in Mozilla Firefox and NSS leading to Man-in-the-Middle Attacks
CVE-2015-7575

5.9MEDIUM

Key Information:

Vendor

Mozilla
Status
Network Security Services
Vendor
CVE Published:
9 January 2016

What is CVE-2015-7575?

A significant vulnerability was identified in Mozilla Network Security Services (NSS) prior to version 3.20.2, affecting Mozilla Firefox versions prior to 43.0.2 and Firefox ESR versions prior to 38.5.2. This vulnerability arises from the failure to properly reject MD5 signatures used in the Server Key Exchange messages during the TLS 1.2 handshake. Consequently, this flaw allows a man-in-the-middle attacker to exploit the situation, facilitating server spoofing through collision attacks, thereby compromising the integrity and security of the connection.

References

http://www.debian.org/security/2016/dsa-3688
vendor-advisoryx_refsource_DEBIAN
http://www.debian.org/security/2016/dsa-3457
vendor-advisoryx_refsource_DEBIAN
http://www.debian.org/security/2016/dsa-3491
vendor-advisoryx_refsource_DEBIAN

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.