Fluid Attacks Database

Description

Yauaa vulnerable to ArrayIndexOutOfBoundsException triggered by a crafted Sec-Ch-Ua-Full-Version-List

Impact

Applications using the Client Hints analysis feature introduced with 7.0.0 can crash because the Yauaa library throws an ArrayIndexOutOfBoundsException. Applications that do not use this feature are not affected.

Patches

Upgrade to 7.9.0

Workarounds

Catch and discard any exceptions from Yauaa.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	nl.basjes.parse.useragent:yauaa	>=7.0.0 <7.9.0	7.9.0
maven	nl.basjes.parse.useragent:yauaa-beam-sql	>=7.0.0 <7.9.0	7.9.0
maven	nl.basjes.parse.useragent:yauaa-trino	>=7.0.0 <7.9.0	7.9.0
maven	nl.basjes.parse.useragent:yauaa-flink-table	>=7.0.0 <7.9.0	7.9.0
maven	nl.basjes.parse.useragent:yauaa-logparser	>=7.0.0 <7.9.0	7.9.0
maven	nl.basjes.parse.useragent:yauaa-snowflake	>=7.0.0 <7.9.0	7.9.0
maven	nl.basjes.parse.useragent:yauaa-beam	>=7.0.0 <7.9.0	7.9.0
maven	nl.basjes.parse.useragent:yauaa-drill	>=7.0.0 <7.9.0	7.9.0
maven	nl.basjes.parse.useragent:yauaa-elasticsearch	>=7.0.0 <7.9.0	7.9.0
maven	nl.basjes.parse.useragent:yauaa-elasticsearch-8	>=7.0.0 <7.9.0	7.9.0

1-10 of 12

Aliases

1. CVE-2022-234962. NVD-2022-234963. OSV-2022-234964. GHSA-c4pm-63cg-9j7h5. GCVE-2022-23496

References

1. https://github.com/nielsbasjes/yauaa/security/advisories/GHSA-c4pm-63cg-9j7h2. https://github.com/nielsbasjes/yauaa/commit/3017a866e2cff0d308f264b66fde4fa79e3beb9e