CVE-2024-55581 — Improper Certificate Validation in ADA WEB Server

CWE-295 — Improper Certificate Validation4 documents4 sources

Severity

7.4HIGHNVD

EPSS

0.2%

top 53.63%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian Libaws Adacore ADA WEB Server Debian Linux

Timeline

PublishedFeb 26

Latest updateFeb 27

Description

When AdaCore Ada Web Server 25.0.0 is linked with GnuTLS, the default behaviour of AWS.Client is vulnerable to a man-in-the-middle attack because of lack of verification of an HTTPS server's certificate (unless the using program specifies a TLS configuration).

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 2.2 | Impact: 5.2

Affected Packages2 packages

▶NVDadacore/ada_web_server25.0

▶debiandebian/libaws< libaws 20.2-2+deb11u1 (bullseye)

Also affects: Debian Linux 11.0

🔴Vulnerability Details

GHSA

GHSA-6pc8-5263-hvgq: When AdaCore Ada Web Server 25↗2025-02-27

▶

OSV

CVE-2024-55581: When AdaCore Ada Web Server 25↗2025-02-26

▶

📋Vendor Advisories

Debian

CVE-2024-55581: libaws - When AdaCore Ada Web Server 25.0.0 is linked with GnuTLS, the default behaviour ...↗2024

▶