CVE-2015-7575
moderate-risk
Published 2016-01-09
Mozilla Network Security Services (NSS) before 3.20.2, as used in Mozilla Firefox before 43.0.2 and Firefox ESR 38.x before 38.5.2, does not reject MD5 signatures in Server Key Exchange messages in TLS 1.2 Handshake Protocol traffic, which makes it easier for man-in-the-middle attackers to spoof servers by triggering a collision.
Do I need to act?
~
1.5% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.9/10
Medium
NETWORK
/ HIGH complexity
Affected Products (19)
References (104)
Third Party Advisory
http://lists.opensuse.org/opensuse-updates/2016-02/msg00007.html
Third Party Advisory
http://lists.opensuse.org/opensuse-updates/2016-02/msg00008.html
and 84 more references
41
/ 100
moderate-risk
Severity
18/34 · Moderate
Exploitability
4/34 · Minimal
Exposure
19/34 · Moderate