Alta-Aware-875 Ava Cloud API denial of service vulnerability

Release Date

31st of October 2023.

Overview

The Ava Cloud API would crash when updating or deleting specific resources outside of the organization structure.

Affected Products

  • Ava Cloud: before 21st July 2023.

Unaffected Products

  • Ava Aware: all versions.
  • Ava Cameras: all versions.
  • Ava Cloud: from 21st July 2023.

Resolution

A fix was deployed to the Ava Cloud on 21st July 2023. Ava Cloud customers do not need to take any additional action.

Vulnerability Information

Mitigations

There are no known mitigations for this issue.

Work arounds

There are no known work arounds for this issue.

Acknowledgements

Issue found internally by Ava Security.

Disclosure Timeline

  • 19/07/2023 Issue found internally by Ava Security
  • 19/07/2023 Root cause established
  • 19/07/2023 Fix identified
  • 21/07/2023 Patched Ava Cloud released
  • 31/10/2023 Vulnerability publicly disclosed