Security Advisories

Ava-504: Ava Camera API does not enforce password strength server side
Release Date 7th September 2021. Overview Due to a recent "secure by design" architecture change of all Ava Camera. The decision was made to mo...
Tue, 7 Sep, 2021 at 9:09 AM
Ava-486: A malicious server could deny service to Ava Aware during TLS handshake
Release Date 7th September 2021. Overview Due to a vulnerability in the Go crypto/tls package, if Ava Aware or an Ava camera was to perform a secure TLS ...
Tue, 7 Sep, 2021 at 9:07 AM
Ava-511: Aware iOS app persists data across user sessions
Release Date 06 Sept 2021. Overview The iOS app persists data related to cameras, alarms etc. on the mobile device even after the user logs out. So if th...
Mon, 6 Sep, 2021 at 2:17 PM
AVA-422: CAMERA VERBOSE FLAG LOGS RTSP CREDENTIALS
Release Date 9th Aug 2021. Overview When running the camera in verbose debugging mode RTSP credentials may be logged. Affected Products Ava Cameras: ...
Mon, 9 Aug, 2021 at 9:49 AM
Ava-464: UNAUTHENTICATED ACCESS TO CAMERA METRICS
Release Date 14th July 2021. Overview An API endpoint of the Ava Camera could be used to view some internal metrics of the camera without authentication....
Wed, 14 Jul, 2021 at 10:36 AM
Ava-420: Access to internal system components through API misuse
Release Date 12th July. Overview This is an extension of Ava-418 which contains various security patches to internal API, physical Access Control integra...
Mon, 12 Jul, 2021 at 2:25 PM
Ava-441: Maliciously crafted API request could deny service from Ava Aware
Release Date 18th June 2021. Overview Due to a vulnerability in the Go `archive/zip` package, an authenticated Aware user with the permission to Add/Edit...
Mon, 21 Jun, 2021 at 5:42 PM
Ava-432: Denial of Service through large HTTP server response headers
Release Date 21st June 2021 Overview If malicious HTTP server sends a response with very large headers, this can cause a stack overflow leading to a pani...
Mon, 21 Jun, 2021 at 3:54 PM
Ava-418: Access to internal cloud components using Aware webhooks
Release Date 25th May 2021. Overview An authenticated Ava Aware user with the relevant webhook edit permission would have been able to craft a malicious ...
Fri, 4 Jun, 2021 at 2:28 PM
Ava-412: Permissions not enforced for empty rules and counting areas in Aware
Release Date 26th May 2021. Overview An authenticated Ava Aware user could create and delete rules and counting areas without the appropriate permissions...
Fri, 4 Jun, 2021 at 2:27 PM