Lucene search

GoogleOSV:GHSA-C4PM-63CG-9J7H

HistoryDec 08, 2022 - 3:52 p.m.

Yauaa vulnerable to ArrayIndexOutOfBoundsException triggered by a crafted Sec-Ch-Ua-Full-Version-List

2022-12-0815:52:54

Google

osv.dev

yauaa

arrayindexoutofboundsexception

sec-ch-ua-full-version-list

client hints

upgrade

workarounds

exceptions

7.9.0

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

39.3%

JSON

Impact

Applications using the Client Hints analysis feature introduced with 7.0.0 can crash because the Yauaa library throws an ArrayIndexOutOfBoundsException. Applications that do not use this feature are not affected.

Patches

Upgrade to 7.9.0

Workarounds

Catch and discard any exceptions from Yauaa.

References

github.com/nielsbasjes/yauaa

github.com/nielsbasjes/yauaa/commit/3017a866e2cff0d308f264b66fde4fa79e3beb9e

github.com/nielsbasjes/yauaa/security/advisories/GHSA-c4pm-63cg-9j7h

nvd.nist.gov/vuln/detail/CVE-2022-23496

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

39.3%

JSON

Related for OSV:GHSA-C4PM-63CG-9J7H