06 Sept 2021.
The iOS app persists data related to cameras, alarms etc. on the mobile device even after the user logs out. So if the device is shared amongst multiple users, some users might be able to access data they do not have permissions for.
- Ava Aware:
- All iOS app versions before 2.6.0.
- All iOS app Beta versions before 2.6.0.
- Ava Aware: all versions of the web client and Android app.
- Ava Cameras: all versions.
- Ava Cloud: all versions.
This issue has been fixed in Ava Aware iOS Beta version 2.6.0 and Stable version 2.6.0.
It is strongly recommended that all users using an affected version of the app upgrade to the latest release as soon as possible. Releases are available to download through the iOS App Store.
- CVE: pending
- CVSSv3 score: 5.0 (Medium)
- CVSSv3 vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
There are no known mitigations for this issue.
There are no known work arounds for this issue.
Issue found internally by Ava Security.
- 03/08/2021 Issue found internally by Ava Security
- 04/08/2021 Root cause established
- 04/08/2021 Fix identified
- 19/08/2021 Patched Ava Aware iOS app (Beta) released
- 02/09/2021 Patched Ava Aware iOS app (Stable) released
- 06/09/2021 Vulnerability publicly disclosed