Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1jNHBtLTYzY2ctOWo3aM4AAwNS
Yauaa vulnerable to ArrayIndexOutOfBoundsException triggered by a crafted Sec-Ch-Ua-Full-Version-List
Impact
Applications using the Client Hints analysis feature introduced with 7.0.0 can crash because the Yauaa library throws an ArrayIndexOutOfBoundsException. Applications that do not use this feature are not affected.
Patches
Upgrade to 7.9.0
Workarounds
Catch and discard any exceptions from Yauaa.
Permalink: https://github.com/advisories/GHSA-c4pm-63cg-9j7hJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jNHBtLTYzY2ctOWo3aM4AAwNS
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: over 1 year ago
CVSS Score: 8.6
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Identifiers: GHSA-c4pm-63cg-9j7h, CVE-2022-23496
References:
- https://github.com/nielsbasjes/yauaa/security/advisories/GHSA-c4pm-63cg-9j7h
- https://nvd.nist.gov/vuln/detail/CVE-2022-23496
- https://github.com/nielsbasjes/yauaa/commit/3017a866e2cff0d308f264b66fde4fa79e3beb9e
- https://github.com/advisories/GHSA-c4pm-63cg-9j7h
Blast Radius: 19.0
Affected Packages
maven:nl.basjes.parse.useragent:yauaa-trino
Dependent packages: 0Dependent repositories: 1
Downloads:
Affected Version Ranges: >= 7.0.0, < 7.9.0
Fixed in: 7.9.0
All affected versions: 7.0.0, 7.1.0, 7.2.0, 7.3.0, 7.4.0, 7.5.0, 7.6.0, 7.7.0, 7.8.0
All unaffected versions: 7.9.0, 7.9.1, 7.10.0, 7.11.0, 7.12.0, 7.12.1, 7.12.2, 7.13.0, 7.14.0, 7.14.1, 7.15.0, 7.16.0, 7.17.0, 7.17.1, 7.18.0, 7.19.0, 7.19.1, 7.19.2, 7.20.0, 7.21.0, 7.22.0, 7.23.0, 7.24.0, 7.25.0, 7.26.0, 7.26.1
maven:nl.basjes.parse.useragent:yauaa-snowflake
Dependent packages: 0Dependent repositories: 0
Downloads:
Affected Version Ranges: >= 7.0.0, < 7.9.0
Fixed in: 7.9.0
All affected versions: 7.0.0, 7.1.0, 7.2.0, 7.3.0, 7.4.0, 7.5.0, 7.6.0, 7.7.0, 7.8.0
All unaffected versions: 7.9.0, 7.9.1, 7.10.0, 7.11.0, 7.12.0, 7.12.1, 7.12.2, 7.13.0, 7.14.0, 7.14.1, 7.15.0, 7.16.0, 7.17.0, 7.17.1, 7.18.0, 7.19.0, 7.19.1, 7.19.2, 7.20.0, 7.21.0, 7.22.0, 7.23.0, 7.24.0, 7.25.0, 7.26.0, 7.26.1
maven:nl.basjes.parse.useragent:yauaa-nifi-processors
Affected Version Ranges: >= 7.0.0, < 7.9.0Fixed in: 7.9.0
maven:nl.basjes.parse.useragent:yauaa-logparser
Dependent packages: 3Dependent repositories: 3
Downloads:
Affected Version Ranges: >= 7.0.0, < 7.9.0
Fixed in: 7.9.0
All affected versions: 7.0.0, 7.1.0, 7.2.0, 7.3.0, 7.4.0, 7.5.0, 7.6.0, 7.7.0, 7.8.0
All unaffected versions: 0.10.1, 5.14.1, 7.9.0, 7.9.1, 7.10.0, 7.11.0, 7.12.0, 7.12.1, 7.12.2, 7.13.0, 7.14.0, 7.14.1, 7.15.0, 7.16.0, 7.17.0, 7.17.1, 7.18.0, 7.19.0, 7.19.1, 7.19.2, 7.20.0, 7.21.0, 7.22.0, 7.23.0, 7.24.0, 7.25.0, 7.26.0, 7.26.1
maven:nl.basjes.parse.useragent:yauaa-hive
Dependent packages: 0Dependent repositories: 0
Downloads:
Affected Version Ranges: >= 7.0.0, < 7.9.0
Fixed in: 7.9.0
All affected versions: 7.0.0, 7.1.0, 7.2.0, 7.3.0, 7.4.0, 7.5.0, 7.6.0, 7.7.0, 7.8.0
All unaffected versions: 5.14.1, 7.9.0, 7.9.1, 7.10.0, 7.11.0, 7.12.0, 7.12.1, 7.12.2, 7.13.0, 7.14.0, 7.14.1, 7.15.0, 7.16.0, 7.17.0, 7.17.1, 7.18.0, 7.19.0, 7.19.1, 7.19.2, 7.20.0, 7.21.0, 7.22.0, 7.23.0, 7.24.0, 7.25.0, 7.26.0, 7.26.1
maven:nl.basjes.parse.useragent:yauaa-flink-table
Dependent packages: 0Dependent repositories: 0
Downloads:
Affected Version Ranges: >= 7.0.0, < 7.9.0
Fixed in: 7.9.0
All affected versions: 7.0.0, 7.1.0, 7.2.0, 7.3.0, 7.4.0, 7.5.0, 7.6.0, 7.7.0, 7.8.0
All unaffected versions: 5.14.1, 7.9.0, 7.9.1, 7.10.0, 7.11.0, 7.12.0, 7.12.1, 7.12.2, 7.13.0, 7.14.0, 7.14.1, 7.15.0, 7.16.0, 7.17.0, 7.17.1, 7.18.0, 7.19.0, 7.19.1, 7.19.2, 7.20.0, 7.21.0, 7.22.0, 7.23.0, 7.24.0, 7.25.0, 7.26.0, 7.26.1
maven:nl.basjes.parse.useragent:yauaa-flink
Dependent packages: 0Dependent repositories: 0
Downloads:
Affected Version Ranges: >= 7.0.0, < 7.9.0
Fixed in: 7.9.0
All affected versions: 7.0.0, 7.1.0, 7.2.0, 7.3.0, 7.4.0, 7.5.0, 7.6.0, 7.7.0, 7.8.0
All unaffected versions: 5.14.1, 7.9.0, 7.9.1, 7.10.0, 7.11.0, 7.12.0, 7.12.1, 7.12.2, 7.13.0, 7.14.0, 7.14.1, 7.15.0, 7.16.0, 7.17.0, 7.17.1, 7.18.0, 7.19.0, 7.19.1, 7.19.2, 7.20.0, 7.21.0, 7.22.0, 7.23.0, 7.24.0, 7.25.0, 7.26.0, 7.26.1
maven:nl.basjes.parse.useragent:yauaa-elasticsearch-8
Dependent packages: 0Dependent repositories: 0
Downloads:
Affected Version Ranges: >= 7.0.0, < 7.9.0
Fixed in: 7.9.0
All affected versions: 7.0.0, 7.1.0, 7.2.0, 7.3.0, 7.4.0, 7.5.0, 7.6.0, 7.7.0, 7.8.0
All unaffected versions: 7.9.0, 7.9.1, 7.10.0, 7.11.0, 7.12.0, 7.12.1, 7.12.2, 7.13.0, 7.14.0, 7.14.1, 7.15.0, 7.16.0, 7.17.0, 7.17.1, 7.18.0, 7.19.0, 7.19.1, 7.19.2, 7.20.0, 7.21.0, 7.22.0, 7.23.0, 7.24.0, 7.25.0, 7.26.0, 7.26.1
maven:nl.basjes.parse.useragent:yauaa-elasticsearch
Dependent packages: 0Dependent repositories: 0
Downloads:
Affected Version Ranges: >= 7.0.0, < 7.9.0
Fixed in: 7.9.0
All affected versions: 7.0.0, 7.1.0, 7.2.0, 7.3.0, 7.4.0, 7.5.0, 7.6.0, 7.7.0, 7.8.0
All unaffected versions: 7.9.0, 7.9.1, 7.10.0, 7.11.0, 7.12.0, 7.12.1, 7.12.2, 7.13.0, 7.14.0, 7.14.1, 7.15.0, 7.16.0, 7.17.0, 7.17.1, 7.18.0, 7.19.0, 7.19.1, 7.19.2, 7.20.0, 7.21.0, 7.22.0, 7.23.0, 7.24.0, 7.25.0, 7.26.0, 7.26.1
maven:nl.basjes.parse.useragent:yauaa-drill
Dependent packages: 0Dependent repositories: 3
Downloads:
Affected Version Ranges: >= 7.0.0, < 7.9.0
Fixed in: 7.9.0
All affected versions: 7.0.0, 7.1.0, 7.2.0, 7.3.0, 7.4.0, 7.5.0, 7.6.0, 7.7.0, 7.8.0
All unaffected versions: 5.14.1, 7.9.0, 7.9.1, 7.10.0, 7.11.0, 7.12.0, 7.12.1, 7.12.2, 7.13.0, 7.14.0, 7.14.1, 7.15.0, 7.16.0, 7.17.0, 7.17.1, 7.18.0, 7.19.0, 7.19.1, 7.19.2, 7.20.0, 7.21.0, 7.22.0, 7.23.0, 7.24.0, 7.25.0, 7.26.0, 7.26.1
maven:nl.basjes.parse.useragent:yauaa-beam-sql
Dependent packages: 0Dependent repositories: 0
Downloads:
Affected Version Ranges: >= 7.0.0, < 7.9.0
Fixed in: 7.9.0
All affected versions: 7.0.0, 7.1.0, 7.2.0, 7.3.0, 7.4.0, 7.5.0, 7.6.0, 7.7.0, 7.8.0
All unaffected versions: 7.9.0, 7.9.1, 7.10.0, 7.11.0, 7.12.0, 7.12.1, 7.12.2, 7.13.0, 7.14.0, 7.14.1, 7.15.0, 7.16.0, 7.17.0, 7.17.1, 7.18.0, 7.19.0, 7.19.1, 7.19.2, 7.20.0, 7.21.0, 7.22.0, 7.23.0, 7.24.0, 7.25.0, 7.26.0, 7.26.1
maven:nl.basjes.parse.useragent:yauaa-beam
Dependent packages: 0Dependent repositories: 0
Downloads:
Affected Version Ranges: >= 7.0.0, < 7.9.0
Fixed in: 7.9.0
All affected versions: 7.0.0, 7.1.0, 7.2.0, 7.3.0, 7.4.0, 7.5.0, 7.6.0, 7.7.0, 7.8.0
All unaffected versions: 5.14.1, 7.9.0, 7.9.1, 7.10.0, 7.11.0, 7.12.0, 7.12.1, 7.12.2, 7.13.0, 7.14.0, 7.14.1, 7.15.0, 7.16.0, 7.17.0, 7.17.1, 7.18.0, 7.19.0, 7.19.1, 7.19.2, 7.20.0, 7.21.0, 7.22.0, 7.23.0, 7.24.0, 7.25.0, 7.26.0, 7.26.1
maven:nl.basjes.parse.useragent:yauaa
Dependent packages: 52Dependent repositories: 162
Downloads:
Affected Version Ranges: >= 7.0.0, < 7.9.0
Fixed in: 7.9.0
All affected versions: 7.0.0, 7.1.0, 7.2.0, 7.3.0, 7.4.0, 7.5.0, 7.6.0, 7.7.0, 7.8.0
All unaffected versions: 0.1.1, 0.3.1, 0.10.1, 5.14.1, 7.9.0, 7.9.1, 7.10.0, 7.11.0, 7.12.0, 7.12.1, 7.12.2, 7.13.0, 7.14.0, 7.14.1, 7.15.0, 7.16.0, 7.17.0, 7.17.1, 7.18.0, 7.19.0, 7.19.1, 7.19.2, 7.20.0, 7.21.0, 7.22.0, 7.23.0, 7.24.0, 7.25.0, 7.26.0, 7.26.1