Lucene search

GitHub Advisory DatabaseGHSA-C4PM-63CG-9J7H

HistoryDec 08, 2022 - 3:52 p.m.

Yauaa vulnerable to ArrayIndexOutOfBoundsException triggered by a crafted Sec-Ch-Ua-Full-Version-List

2022-12-0815:52:54

CWE-755

GitHub Advisory Database

github.com

yauaa

arrayindexoutofboundsexception

sec-ch-ua-full-version-list

client hints

upgrade

vulnerability

crafted header

applications

crash

exceptions

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

38.0%

JSON

Impact

Applications using the Client Hints analysis feature introduced with 7.0.0 can crash because the Yauaa library throws an ArrayIndexOutOfBoundsException. Applications that do not use this feature are not affected.

Patches

Upgrade to 7.9.0

Workarounds

Catch and discard any exceptions from Yauaa.

Affected configurations

Vulners

Node

nl.basjes.parse.useragent\yauaaMatchtrino

nl.basjes.parse.useragent\yauaaMatchsnowflake

nl.basjes.parse.useragent\Matchyauaa

nl.basjes.parse.useragent\yauaaMatchlogparser

nl.basjes.parse.useragent\yauaaMatchhive

nl.basjes.parse.useragent\yauaaMatchflink

nl.basjes.parse.useragent\yauaaMatchelasticsearch

nl.basjes.parse.useragent\yauaaMatchdrill

nl.basjes.parse.useragent\yauaaMatchbeam

nl.basjes.parse.useragent\Matchyauaa

CPENameOperatorVersion
nl.basjes.parse.useragent:yauaa-trinolt7.9.0
nl.basjes.parse.useragent:yauaa-snowflakelt7.9.0
nl.basjes.parse.useragent:yauaa-nifi-processorslt7.9.0
nl.basjes.parse.useragent:yauaa-logparserlt7.9.0
nl.basjes.parse.useragent:yauaa-hivelt7.9.0
nl.basjes.parse.useragent:yauaa-flink-tablelt7.9.0
nl.basjes.parse.useragent:yauaa-flinklt7.9.0
nl.basjes.parse.useragent:yauaa-elasticsearch-8lt7.9.0
nl.basjes.parse.useragent:yauaa-elasticsearchlt7.9.0
nl.basjes.parse.useragent:yauaa-drilllt7.9.0

Name	Operator	Version
nl.basjes.parse.useragent:yauaa-trino	lt	7.9.0
nl.basjes.parse.useragent:yauaa-snowflake	lt	7.9.0
nl.basjes.parse.useragent:yauaa-nifi-processors	lt	7.9.0
nl.basjes.parse.useragent:yauaa-logparser	lt	7.9.0
nl.basjes.parse.useragent:yauaa-hive	lt	7.9.0
nl.basjes.parse.useragent:yauaa-flink-table	lt	7.9.0
nl.basjes.parse.useragent:yauaa-flink	lt	7.9.0
nl.basjes.parse.useragent:yauaa-elasticsearch-8	lt	7.9.0
nl.basjes.parse.useragent:yauaa-elasticsearch	lt	7.9.0
nl.basjes.parse.useragent:yauaa-drill	lt	7.9.0