Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
4.3
CVSSv2

CVE-2015-2721

Published: 06/07/2015 Updated: 12/09/2023
CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6
VMScore: 383
Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N
Subscribe to Ubuntu Linux

Vulnerability Summary

Mozilla Network Security Services (NSS) prior to 3.19, as used in Mozilla Firefox prior to 39.0, Firefox ESR 31.x prior to 31.8 and 38.x prior to 38.1, Thunderbird prior to 38.1, and other products, does not properly determine state transitions for the TLS state machine, which allows man-in-the-middle malicious users to defeat cryptographic protection mechanisms by blocking messages, as demonstrated by removing a forward-secrecy property by blocking a ServerKeyExchange message, aka a "SMACK SKIP-TLS" issue.

Vulnerable Product Search on Vulmon Subscribe to Product

canonical ubuntu linux 12.04

novell suse linux enterprise server 12.0

novell suse linux enterprise server 11

debian debian linux 8.0

debian debian linux 7.0

canonical ubuntu linux 14.10

canonical ubuntu linux 14.04

novell suse linux enterprise desktop 12.0

canonical ubuntu linux 15.04

novell suse linux enterprise software development kit 12.0

mozilla network_security_services 3.19

oracle solaris 11.3

oracle vm server 3.2

Vendor Advisories

Debian Security Advisories: DSA-3336-1 nss -- security update
Several vulnerabilities have been discovered in nss, the Mozilla Network Security Service library The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2015-2721 Karthikeyan Bhargavan discovered that NSS incorrectly handles state transitions for the TLS state machine A man-in-the-middle attacker coul ...
Ubuntu Security Notice: nss vulnerabilities
Several security issues were fixed in NSS ...
Ubuntu Security Notice: firefox vulnerabilities
Firefox could be made to crash or run programs as your login if it opened a malicious website ...
Ubuntu Security Notice: firefox vulnerabilities
Firefox could be made to crash or run programs as your login if it opened a malicious website ...
Ubuntu Security Notice: thunderbird vulnerabilities
Several security issues were fixed in Thunderbird ...
Mozilla: NSS incorrectly permits skipping of ServerKeyExchange
Mozilla Foundation Security Advisory 2015-71 NSS incorrectly permits skipping of ServerKeyExchange Announced July 2, 2015 Reporter Karthikeyan Bhargavan Impact Moderate Products Firefox, Firefox ESR, Firefox OS, SeaMonkey, T ...
Red Hat: CVE-2015-2721
It was found that NSS permitted skipping of the ServerKeyExchange packet during a handshake involving ECDHE (Elliptic Curve Diffie-Hellman key Exchange) A remote attacker could use this flaw to bypass the forward-secrecy of a TLS/SSL connection ...

Github Repositories

https://github.com/rjrelyea/ca-certificate-scripts

script to manage ca-certificates.

Updating the CA trust list in RHEL Author: Kai Engert Date: August/September/October 2018 Updating the CA trust list in RHEL Introduction Distribution mechanics Related background information Script certdata-upstream-to-certdata-rhelpy RHEL 5 App A Script doitsh App B Script sort-bundlepy App C 2019 Update with new scripts Introduction In RHEL we ship Mozill

References

CWE-310http://www.mozilla.org/security/announce/2015/mfsa2015-71.htmlhttps://smacktls.comhttps://bugzilla.mozilla.org/show_bug.cgi?id=1086145https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.19_release_noteshttp://www.debian.org/security/2015/dsa-3324http://www.debian.org/security/2015/dsa-3336http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00034.htmlhttp://www.ubuntu.com/usn/USN-2673-1http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00033.htmlhttp://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.htmlhttp://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.htmlhttp://www.securityfocus.com/bid/91787http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.htmlhttp://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.htmlhttp://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.htmlhttp://www.securityfocus.com/bid/83398http://www.securityfocus.com/bid/75541https://security.gentoo.org/glsa/201512-10http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00021.htmlhttp://rhn.redhat.com/errata/RHSA-2015-1664.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-07/msg00031.htmlhttp://www.ubuntu.com/usn/USN-2672-1http://www.ubuntu.com/usn/USN-2656-2http://www.ubuntu.com/usn/USN-2656-1http://www.securitytracker.com/id/1032784http://www.securitytracker.com/id/1032783http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00025.htmlhttps://security.gentoo.org/glsa/201701-46http://rhn.redhat.com/errata/RHSA-2015-1185.htmlhttps://nvd.nist.govhttps://www.debian.org/security/./dsa-3336https://github.com/rjrelyea/ca-certificate-scriptshttps://access.redhat.com/security/cve/cve-2015-2721https://usn.ubuntu.com/2672-1/
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
deserializationCVE-2024-4040cross-site scriptingCVE-2023-25790CVE-2024-2961XML external entityCVE-2024-26926CVE-2024-32806CVE-2024-32711
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook