CVE-2022-23496:
Yauaa vulnerable to ArrayIndexOutOfBoundsException triggered by a crafted Sec-Ch-Ua-Full-Version-List
8.6
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.21532%
CWE
Published
12/8/2022
Updated
1/17/2025
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
nl.basjes.parse.useragent:yauaa | maven | >= 7.0.0, < 7.9.0 | 7.9.0 |
nl.basjes.parse.useragent:yauaa-beam | maven | >= 7.0.0, < 7.9.0 | 7.9.0 |
nl.basjes.parse.useragent:yauaa-beam-sql | maven | >= 7.0.0, < 7.9.0 | 7.9.0 |
nl.basjes.parse.useragent:yauaa-drill | maven | >= 7.0.0, < 7.9.0 | 7.9.0 |
nl.basjes.parse.useragent:yauaa-elasticsearch | maven | >= 7.0.0, < 7.9.0 | 7.9.0 |
nl.basjes.parse.useragent:yauaa-elasticsearch-8 | maven | >= 7.0.0, < 7.9.0 | 7.9.0 |
nl.basjes.parse.useragent:yauaa-flink | maven | >= 7.0.0, < 7.9.0 | 7.9.0 |
nl.basjes.parse.useragent:yauaa-flink-table | maven | >= 7.0.0, < 7.9.0 | 7.9.0 |
nl.basjes.parse.useragent:yauaa-hive | maven | >= 7.0.0, < 7.9.0 | 7.9.0 |
nl.basjes.parse.useragent:yauaa-logparser | maven | >= 7.0.0, < 7.9.0 | 7.9.0 |
nl.basjes.parse.useragent:yauaa-snowflake | maven | >= 7.0.0, < 7.9.0 | 7.9.0 |
nl.basjes.parse.useragent:yauaa-trino | maven | >= 7.0.0, < 7.9.0 | 7.9.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability manifests in Client Hints processing where version strings are split using String.split("\\.").
The original code (lines 318-325 in diff) contained direct array accesses to versionSplits[1]
without verifying the array length first. This could crash when handling short version strings like '100' instead of '100.0.4896.127'. The patch adds length checks and version validation logic
(newVersionIsBetter()
) to prevent these out-of-bounds accesses.