CVE-2024-55581

CVE-2024-55581 is a vulnerability in AdaCore Ada Web Server version 25.0.0 when linked with GnuTLS. The issue stems from the default behavior of AWS.Client, which fails to verify an HTTPS server's certificate unless the using program explicitly specifies a TLS configuration. This improper certificate validation, mapped to CWE-295, exposes applications to man-in-the-middle attacks. The vulnerability carries a CVSS v3.1 base score of 7.4 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating high severity due to network accessibility and significant confidentiality and integrity impacts.

Attackers can exploit this vulnerability by positioning themselves between the AWS.Client and the target HTTPS server, such as on a compromised network or through techniques requiring high complexity like ARP spoofing or DNS poisoning. No privileges or user interaction are needed. Successful exploitation allows the attacker to intercept, read, and potentially modify sensitive data in transit, compromising confidentiality and integrity without impacting availability.

For mitigation guidance, refer to the AdaCore security advisory SEC.AWS-0056-v1 at https://docs.adacore.com/corp/security-advisories/SEC.AWS-0056-v1.pdf and the Debian LTS announcement at https://lists.debian.org/debian-lts-announce/2025/03/msg00007.html.