Ava-320: Permissions were not enforced for Ava Aware Counts rules

Release Date

18th November 2020.

Overview

Any authenticated Ava Aware user could view and modify Ava Aware Counts rules through the Ava Aware user interface or API without the appropriate permissions.

Affected Products

• Ava Aware:
  • All Stable upgrade channel versions up to but not including 3.1.5
  • All Beta upgrade channel versions up to but not including 3.2.1

Unaffected Products

• Ava Aware:
  • All Stable upgrade channel versions from 3.1.5
  • All Beta upgrade channel versions from 3.2.1
• Ava Cloud: All versions
• Ava cameras: All versions

Resolution

This issue has been fixed in Ava Aware Beta upgrade channel version 3.2.1 and Stable upgrade channel version 3.1.5. We recommend that all Ava Aware installations running an affected version upgrade to the latest release as soon as possible. Releases are available to download through the Ava Aware User Interface.

Vulnerability Information

Any authenticated Ava Aware user could view and modify Ava Aware Counts rules through the Ava Aware user interface or API without the appropriate permissions.

• CVE: Pending
• CVSSv3.1 score: 5.4 (Medium)
• CVSSv3.1 vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Acknowledgements

Issue found internally by Ava Security.

Disclosure Timeline

• 10/11/2020 Issue found internally by Ava Security
• 16/11/2020 Fix identified
• 18/11/2020 Patched Ava Aware 3.2.1 (Beta upgrade channel) released
• 18/11/2020 Patched Ava Aware 3.1.5 (Stable upgrade channel) released
• 18/11/2020 Advisory published internally
• 18/11/2020 Vulnerability publicly disclosed