Security Advisories

Ava-537: Permissions not fully enforced when testing webhooks from Ava devices
Release Date 19th October 2021. Overview An authenticated Ava Aware user could use the API to send webhooks via cameras which the user did not have th...
Tue, 19 Oct, 2021 at 3:12 PM
Ava-423: Insufficient authorization for reading partial camera credentials
Release Date 19th October 2021. Overview Any authenticated Ava Aware user could use the API to read the username and notes of camera credentials. Affect...
Tue, 19 Oct, 2021 at 11:42 AM
Ava-540: Insufficient authorization of video backups
Release Date 30th September 2021. Overview Any authenticated Ava Aware user could download and delete backed up recordings made by any Ava Camera connect...
Wed, 13 Oct, 2021 at 6:23 PM
Ava-563: Preliminary vulnerability advisory
Release Date 06 October 2021. Overview Ava Security have found a vulnerability in the Ava Cameras software and are resolving the issue. Further details ...
Wed, 6 Oct, 2021 at 3:32 PM
Ava-551 Preliminary vulnerability advisory
Release Date 23 September 2021. Overview Ava Security have been informed about a vulnerability in the Ava Aware software and are resolving the issue. Fu...
Fri, 24 Sep, 2021 at 10:54 AM
Ava-549: Google Cloud Identity-Aware Proxy (IAP) issue impacting Ava Security Cloud Deployments
Release Date 23rd September 2021. Overview This is a dual advisory covering the impact to both Reveal and Aware product lines On 17th September at 12...
Thu, 23 Sep, 2021 at 12:28 PM
Ava-531: A malicious HTTP client could deny service to Ava Aware
Release Date 7th September 2021. Overview Due to a vulnerability in the Go net/http/httputil package, a malicious HTTP client could exploit a race condit...
Tue, 7 Sep, 2021 at 9:11 AM
Ava-507: External sharing links can lead to access to live video through thumbnail and timeline abuse
Release Date 7th September 2021. Overview Under the right circumstances an attacker with access to an external video sharing link, can leak live video th...
Tue, 7 Sep, 2021 at 9:10 AM
Ava-504: Ava Camera API does not enforce password strength server side
Release Date 7th September 2021. Overview Due to a recent "secure by design" architecture change of all Ava Camera. The decision was made to mo...
Tue, 7 Sep, 2021 at 9:09 AM
Ava-486: A malicious server could deny service to Ava Aware during TLS handshake
Release Date 7th September 2021. Overview Due to a vulnerability in the Go crypto/tls package, if Ava Aware or an Ava camera was to perform a secure TLS ...
Tue, 7 Sep, 2021 at 9:07 AM