Ava-589: Ava Aware servers could be claimed by other deployments

Release Date

14th March 2022.

Overview

An attacker with access to an Ava Aware deployment could claim servers that belong to another deployment. This vulnerability has not been exploited and no servers have been affected.

Affected Products

• Ava Cloud: before 13th December 2021.

Unaffected Products

• Ava Aware: all versions.
• Ava cameras: all versions.
• Ava Cloud: from 13th December 2021.

Resolution

A fix was deployed to the Ava Cloud on 13th December 2021. Ava Cloud customers do not need to take any additional action.

Vulnerability Information

• CVE: pending
• CVSSv3 score: 8.5 (High)
• CVSSv3 vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Mitigations

There are no known mitigations for this issue.

Work arounds

There are no known work arounds for this issue.

Disclosure Timeline

• 02/12/2021 Issue found internally by Ava Security
• 02/12/2021 Root cause established
• 08/12/2021 Fix identified
• 13/12/2021 Patched Ava Cloud released
• 14/03/2022 Vulnerability publicly disclosed