Security Advisories

Ava-601 Preliminary vulnerability advisory
Release Date 17 December 2021. Overview Ava Security have been informed about a vulnerability in the Ava Aware, Ava Cameras, and Ava Cloud software and a...
Fri, 17 Dec, 2021 at 4:12 PM
Ava-551: Maliciously crafted API request could deny service from Ava Aware
Release Date 9th Dec 2021. Overview Due to a vulnerability in the Go archive/zip package, an authenticated Aware user with the permission to Add/Edit app...
Mon, 13 Dec, 2021 at 1:31 PM
Ava-450: API Documentation Accessible to Unauthenticated Users
Release Date 29th November 2021. Overview It was possible to retrieve documentation for the VMS API as an unauthenticated user. It could be used by an at...
Mon, 29 Nov, 2021 at 10:14 AM
Ava-537: Permissions not fully enforced when testing webhooks from Ava devices
Release Date 19th October 2021. Overview An authenticated Ava Aware user could use the API to send webhooks via cameras which the user did not have th...
Tue, 19 Oct, 2021 at 3:12 PM
Ava-423: Insufficient authorization for reading partial camera credentials
Release Date 19th October 2021. Overview Any authenticated Ava Aware user could use the API to read the username and notes of camera credentials. Affect...
Tue, 19 Oct, 2021 at 11:42 AM
Ava-540: Insufficient authorization of video backups
Release Date 30th September 2021. Overview Any authenticated Ava Aware user could download and delete backed up recordings made by any Ava Camera connect...
Wed, 13 Oct, 2021 at 6:23 PM
Ava-563: Preliminary vulnerability advisory
Release Date 06 October 2021. Overview Ava Security have found a vulnerability in the Ava Cameras software and are resolving the issue. Further details ...
Wed, 6 Oct, 2021 at 3:32 PM
Ava-549: Google Cloud Identity-Aware Proxy (IAP) issue impacting Ava Security Cloud Deployments
Release Date 23rd September 2021. Overview This is a dual advisory covering the impact to both Reveal and Aware product lines On 17th September at 12...
Thu, 23 Sep, 2021 at 12:28 PM
Ava-531: A malicious HTTP client could deny service to Ava Aware
Release Date 7th September 2021. Overview Due to a vulnerability in the Go net/http/httputil package, a malicious HTTP client could exploit a race condit...
Tue, 7 Sep, 2021 at 9:11 AM
Ava-507: External sharing links can lead to access to live video through thumbnail and timeline abuse
Release Date 7th September 2021. Overview Under the right circumstances an attacker with access to an external video sharing link, can leak live video th...
Tue, 7 Sep, 2021 at 9:10 AM