Security Advisories

Ava-531: A malicious HTTP client could deny service to Ava Aware
Release Date 7th September 2021. Overview Due to a vulnerability in the Go net/http/httputil package, a malicious HTTP client could exploit a race condit...
Tue, 7 Sep, 2021 at 9:11 AM
Ava-507: External sharing links can lead to access to live video through thumbnail and timeline abuse
Release Date 7th September 2021. Overview Under the right circumstances an attacker with access to an external video sharing link, can leak live video th...
Tue, 7 Sep, 2021 at 9:10 AM
Ava-504: Ava Camera API does not enforce password strength server side
Release Date 7th September 2021. Overview Due to a recent "secure by design" architecture change of all Ava Camera. The decision was made to mo...
Tue, 7 Sep, 2021 at 9:09 AM
Ava-486: A malicious server could deny service to Ava Aware during TLS handshake
Release Date 7th September 2021. Overview Due to a vulnerability in the Go crypto/tls package, if Ava Aware or an Ava camera was to perform a secure TLS ...
Tue, 7 Sep, 2021 at 9:07 AM
Ava-511: Aware iOS app persists data across user sessions
Release Date 06 Sept 2021. Overview The iOS app persists data related to cameras, alarms etc. on the mobile device even after the user logs out. So if th...
Mon, 6 Sep, 2021 at 2:17 PM
Ava-537: Preliminary vulnerability advisory
Release Date 02 September 2021. Overview Ava Security have found a vulnerability in the Ava Aware software and are resolving the issue. Further details ...
Thu, 2 Sep, 2021 at 6:06 PM
AVA-422: CAMERA VERBOSE FLAG LOGS RTSP CREDENTIALS
Release Date 9th Aug 2021. Overview When running the camera in verbose debugging mode RTSP credentials may be logged. Affected Products Ava Cameras: ...
Mon, 9 Aug, 2021 at 9:49 AM
Ava-464: UNAUTHENTICATED ACCESS TO CAMERA METRICS
Release Date 14th July 2021. Overview An API endpoint of the Ava Camera could be used to view some internal metrics of the camera without authentication....
Wed, 14 Jul, 2021 at 10:36 AM
Ava-420: Access to internal system components through API misuse
Release Date 12th July. Overview This is an extension of Ava-418 which contains various security patches to internal API, physical Access Control integra...
Mon, 12 Jul, 2021 at 2:25 PM
Ava-441: Maliciously crafted API request could deny service from Ava Aware
Release Date 18th June 2021. Overview Due to a vulnerability in the Go `archive/zip` package, an authenticated Aware user with the permission to Add/Edit...
Mon, 21 Jun, 2021 at 5:42 PM