8.6

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-23496

CVE-2022-23496: Yauaa vulnerable to ArrayIndexOutOfBoundsException triggered by a crafted Sec-Ch-Ua-Full-Version-List

Impact

Applications using the Client Hints analysis feature introduced with 7.0.0 can crash because the Yauaa library throws an ArrayIndexOutOfBoundsException. Applications that do not use this feature are not affected.

Patches

Upgrade to 7.9.0

Workarounds

Catch and discard any exceptions from Yauaa.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2022-23496

CVE-2022-23496:

8.6

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
nl.basjes.parse.useragent:yauaa	maven	>= 7.0.0, < 7.9.0	7.9.0
nl.basjes.parse.useragent:yauaa-beam	maven	>= 7.0.0, < 7.9.0	7.9.0
nl.basjes.parse.useragent:yauaa-beam-sql	maven	>= 7.0.0, < 7.9.0	7.9.0
nl.basjes.parse.useragent:yauaa-drill	maven	>= 7.0.0, < 7.9.0	7.9.0
nl.basjes.parse.useragent:yauaa-elasticsearch	maven	>= 7.0.0, < 7.9.0	7.9.0
nl.basjes.parse.useragent:yauaa-elasticsearch-8	maven	>= 7.0.0, < 7.9.0	7.9.0
nl.basjes.parse.useragent:yauaa-flink	maven	>= 7.0.0, < 7.9.0	7.9.0
nl.basjes.parse.useragent:yauaa-flink-table	maven	>= 7.0.0, < 7.9.0	7.9.0
nl.basjes.parse.useragent:yauaa-hive	maven	>= 7.0.0, < 7.9.0	7.9.0
nl.basjes.parse.useragent:yauaa-logparser	maven	>= 7.0.0, < 7.9.0	7.9.0
nl.basjes.parse.useragent:yauaa-snowflake	maven	>= 7.0.0, < 7.9.0	7.9.0
nl.basjes.parse.useragent:yauaa-trino	maven	>= 7.0.0, < 7.9.0	7.9.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability manifests in Client Hints processing where version strings are split using String.split("\\."). The original code (lines 318-325 in diff) contained direct array accesses to versionSplits[1] without verifying the array length first. This could crash when handling short version strings like '100' instead of '100.0.4896.127'. The patch adds length checks and version validation logic (newVersionIsBetter()) to prevent these out-of-bounds accesses.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8.6

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2022-23496: Yauaa vulnerable to ArrayIndexOutOfBoundsException triggered by a crafted Sec-Ch-Ua-Full-Version-List

Impact

Patches

Workarounds

CVE-2022-23496:

8.6

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

8.6

8.6

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2022-23496: Yauaa vulnerable to ArrayIndexOutOfBoundsException triggered by a crafted Sec-Ch-Ua-Full-Version-List

Impact

Patches

Workarounds

Technical Details

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI