Skip to content

A crafted Sec-Ch-Ua-Full-Version-List can trigger an ArrayIndexOutOfBoundsException in Yauaa 7.0.0-7.8.0

High
nielsbasjes published GHSA-c4pm-63cg-9j7h Dec 8, 2022

Package

maven nl.basjes.parse.useragent:yauaa (Maven)

Affected versions

< 7.9.0

Patched versions

7.9.0
maven nl.basjes.parse.useragent:yauaa-beam (Maven)
< 7.9.0
7.9.0
maven nl.basjes.parse.useragent:yauaa-beam-sql (Maven)
< 7.9.0
7.9.0
maven nl.basjes.parse.useragent:yauaa-drill (Maven)
< 7.9.0
7.9.0
maven nl.basjes.parse.useragent:yauaa-elasticsearch (Maven)
< 7.9.0
7.9.0
maven nl.basjes.parse.useragent:yauaa-elasticsearch-8 (Maven)
< 7.9.0
7.9.0
maven nl.basjes.parse.useragent:yauaa-flink (Maven)
< 7.9.0
7.9.0
maven nl.basjes.parse.useragent:yauaa-flink-table (Maven)
< 7.9.0
7.9.0
maven nl.basjes.parse.useragent:yauaa-hive (Maven)
< 7.9.0
7.9.0
maven nl.basjes.parse.useragent:yauaa-logparser (Maven)
< 7.9.0
7.9.0
maven nl.basjes.parse.useragent:yauaa-nifi-processors (Maven)
< 7.9.0
7.9.0
maven nl.basjes.parse.useragent:yauaa-snowflake (Maven)
< 7.9.0
7.9.0
maven nl.basjes.parse.useragent:yauaa-trino (Maven)
< 7.9.0
7.9.0

Description

Impact

Applications using the Client Hints analysis feature introduced with 7.0.0 can crash because the Yauaa library throws an ArrayIndexOutOfBoundsException.

Applications that do not use this feature are not affected.

Patches

Upgrade to 7.9.0

Workarounds

Catch and discard any exceptions from Yauaa.

Severity

High
8.6
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Changed
Confidentiality
None
Integrity
None
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CVE ID

CVE-2022-23496

Weaknesses