Miggo Logo

CVE-2020-7791: Denial of Service in i18n

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.80126%
Published
12/14/2020
Updated
1/29/2023
KEV Status
No
Technology
TechnologyC#

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
i18nnuget< 2.1.152.1.15

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two key flaws:

  1. In TextLocalizer.cs, IsLanguageValid() didn't check for null/empty langtags before validation, allowing invalid input to reach core logic (CWE-20). This is confirmed by the patch adding a 'langtag.IsSet()' guard clause.
  2. In LocalizedApplication.cs, the DefaultLanguage setter assigned LanguageTag.GetCachedInstance() results without null-checking, potentially propagating null references (CWE-400). The patch adds a null-check before assignment. Both issues lead to unhandled exceptions that terminate the process, matching the described DoS impact. The commit diff and vulnerability description directly implicate these functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T*is *****ts t** p**k*** i**n ***or* v*rsion *.*.**. Vuln*r**ility *ris*s out o* insu**i*i*nt **n*lin* o* *rron*ous l*n*u*** t**s in sr*/i**n/*on*r*t*/T*xtLo**liz*r.*s *n* sr*/i**n/Lo**liz***ppli**tion.*s.

Reasoning

T** vuln*r**ility st*ms *rom two k*y *l*ws: *. In T*xtLo**liz*r.*s, IsL*n*u***V*li*() *i*n't ****k *or null/*mpty l*n*t**s ***or* v*li**tion, *llowin* inv*li* input to r**** *or* lo*i* (*W*-**). T*is is *on*irm** *y t** p*t** ***in* * 'l*n*t**.IsS*t(