8.6

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-23496

GHSA ID

GHSA-c4pm-63cg-9j7h

EPSS Score

0.21532%

CWE

CWE-755

Published

12/8/2022

Updated

1/17/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-23496

CVE-2022-23496:
Yauaa vulnerable to ArrayIndexOutOfBoundsException triggered by a crafted Sec-Ch-Ua-Full-Version-List

Impact

Applications using the Client Hints analysis feature introduced with 7.0.0 can crash because the Yauaa library throws an ArrayIndexOutOfBoundsException. Applications that do not use this feature are not affected.

Patches

Upgrade to 7.9.0

Workarounds

Catch and discard any exceptions from Yauaa.

(GitHub Advisory)

8.6

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-23496

GHSA ID

GHSA-c4pm-63cg-9j7h

EPSS Score

0.21532%

CWE

CWE-755

Published

12/8/2022

Updated

1/17/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
nl.basjes.parse.useragent:yauaa	maven	>= 7.0.0, < 7.9.0	7.9.0
nl.basjes.parse.useragent:yauaa-beam	maven	>= 7.0.0, < 7.9.0	7.9.0
nl.basjes.parse.useragent:yauaa-beam-sql	maven	>= 7.0.0, < 7.9.0	7.9.0
nl.basjes.parse.useragent:yauaa-drill	maven	>= 7.0.0, < 7.9.0	7.9.0
nl.basjes.parse.useragent:yauaa-elasticsearch	maven	>= 7.0.0, < 7.9.0	7.9.0
nl.basjes.parse.useragent:yauaa-elasticsearch-8	maven	>= 7.0.0, < 7.9.0	7.9.0
nl.basjes.parse.useragent:yauaa-flink	maven	>= 7.0.0, < 7.9.0	7.9.0
nl.basjes.parse.useragent:yauaa-flink-table	maven	>= 7.0.0, < 7.9.0	7.9.0
nl.basjes.parse.useragent:yauaa-hive	maven	>= 7.0.0, < 7.9.0	7.9.0
nl.basjes.parse.useragent:yauaa-logparser	maven	>= 7.0.0, < 7.9.0	7.9.0
nl.basjes.parse.useragent:yauaa-snowflake	maven	>= 7.0.0, < 7.9.0	7.9.0
nl.basjes.parse.useragent:yauaa-trino	maven	>= 7.0.0, < 7.9.0	7.9.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability manifests in Client Hints processing where version strings are split using String.split("\\."). The original code (lines 318-325 in diff) contained direct array accesses to versionSplits[1] without verifying the array length first. This could crash when handling short version strings like '100' instead of '100.0.4896.127'. The patch adds length checks and version validation logic (newVersionIsBetter()) to prevent these out-of-bounds accesses.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *ppli**tions usin* t** *li*nt *ints *n*lysis ***tur* intro*u*** wit* *.*.* **n *r*s* ****us* t** Y*u** li*r*ry t*rows *n *rr*yIn**xOutO**oun*s*x**ption. *ppli**tions t**t *o not us* t*is ***tur* *r* not *****t**. ### P*t***s Up*r*** to *.

Reasoning

T** vuln*r**ility m*ni**sts in *li*nt *ints pro**ssin* w**r* v*rsion strin*s *r* split usin* `Strin*.split("\\.").` T** ori*in*l *o** (lin*s ***-*** in *i**) *ont*in** *ir**t *rr*y ****ss*s to `v*rsionSplits[*]` wit*out v*ri*yin* t** *rr*y l*n*t* *ir

8.6

Basic Information

Concerned about an active attack path?

CVE-2022-23496: Yauaa vulnerable to ArrayIndexOutOfBoundsException triggered by a crafted Sec-Ch-Ua-Full-Version-List

Impact

Patches

Workarounds

8.6

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2022-23496:
Yauaa vulnerable to ArrayIndexOutOfBoundsException triggered by a crafted Sec-Ch-Ua-Full-Version-List

Vulnerability Intelligence
Miggo AI