CVE-2020-7791
Insufficient handling of erroneous language tags vulnerability in i18n (NuGet)
What is CVE-2020-7791 About?
The i18n package before version 2.1.15 contains a vulnerability stemming from insufficient handling of erroneous language tags in `src/i18n/Concrete/TextLocalizer.cs` and `src/i18n/LocalizedApplication.cs`. This flaw can lead to unexpected behavior or potential denial of service when processing malformed language tag inputs. Exploitation typically involves providing specially crafted language tags.
Affected Software
Technical Details
The vulnerability in the i18n package (versions prior to 2.1.15) lies in the Concrete/TextLocalizer.cs and LocalizedApplication.cs files, specifically in their mechanisms for processing and handling language tags. The code fails to adequately validate or sanitize malformed or erroneous language tags provided as input. When the application attempts to interpret or utilize these improperly structured tags, it can lead to unhandled exceptions, incorrect memory access, or resource exhaustion. The exact mechanism of failure would depend on the specific malformation and the code paths it triggers, but it ultimately results from a lack of robust error handling and input validation for language tag data.
What is the Impact of CVE-2020-7791?
Successful exploitation may allow attackers to trigger application crashes or unexpected behavior, potentially leading to a denial-of-service condition or resource exhaustion.
What is the Exploitability of CVE-2020-7791?
Exploiting this vulnerability requires an attacker to provide specially crafted, erroneous language tags as input to the application using the i18n package. The attack can be remote if the application accepts untrusted language tag data from external sources (e.g., HTTP headers, user input fields) or local if the data originates from a local file. No authentication or special privileges are strictly needed to trigger the vulnerability once the malicious input is processed. The prerequisite is that the application uses the i18n package and processes language tags from untrusted sources. There are no major special conditions or constraints, other than ensuring the malformed tag reaches the vulnerable code paths. Risk factors include applications that heavily rely on external or user-controlled language preferences without thorough input validation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-7791?
Available Upgrade Options
- i18n
- <2.1.15 → Upgrade to 2.1.15
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/turquoiseowl/i18n/commit/c418e3345313dc896c1951d8c46ab0b9b12fcbd3
- https://lists.apache.org/thread.html/r33dc233634aedb04fa77db3eb79ea12d15ca4da89fa46a1c585ecb0b%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r5e08837e695efd36be73510ce58ec05785dbcea077819d8acc2d990d%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r33dc233634aedb04fa77db3eb79ea12d15ca4da89fa46a1c585ecb0b@%3Ccommits.druid.apache.org%3E
- https://osv.dev/vulnerability/GHSA-hfvc-g252-rp4g
- https://lists.apache.org/thread.html/r1573c58dc283b05f7a40a3f5ff0079b5bbde0492d406ee0fe98d40b6%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r2667286c8ceffaf893b16829b9612d8f7c4ee6b30362c6c1b583e3c2%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r394b1ae54693609a60ea8aab02ff045dc92f593aa3aebff562e69958@%3Ccommits.druid.apache.org%3E
- https://nvd.nist.gov/vuln/detail/CVE-2020-7791
- https://lists.apache.org/thread.html/ra5047392edf1fecba441c9adc8807ed6c5f7d2cc71f2f3bb89f35371%40%3Ccommits.druid.apache.org%3E
What are Similar Vulnerabilities to CVE-2020-7791?
Similar Vulnerabilities: CVE-2023-36605 , CVE-2022-26154 , CVE-2021-41127 , CVE-2021-39185 , CVE-2020-8199
