CVE-2024-37015

Aug. 13, 2024, 7:35 p.m.

7.4
High

Description

An issue was discovered in Ada Web Server 20.0. When configured to use SSL (which is not the default setting), the SSL/TLS used to establish connections to external services is done without proper hostname validation. This is exploitable by man-in-the-middle attackers.

Product(s) Impacted

Product Versions
Ada Web Server
  • ['20.0']

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-297
Improper Validation of Certificate with Host Mismatch
The product communicates with a host that provides a certificate, but the product does not properly ensure that the certificate is actually associated with that host.

References

https://docs.adacore.com/corp/security-advisories/SEC.AWS-0031-v2.pdf
https://github.com/AdaCore/aws

Tags

cve@mitre.org
CWE-297
2024-08-13
CVE-2024-37015

CVSS Score

7.4 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: HIGH
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: NONE

    • CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

    View Vector String

Timeline

Published: Aug. 13, 2024, 5:15 p.m.
Last Modified: Aug. 13, 2024, 7:35 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

cve@mitre.org

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.